Coming Soon Page Under Construction Maintenance Mode By Seedprod
CVE-2026-39464
|
EUVD-2026-20135
MEDIUM
Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Server-Side Request Forgery (SSRF) vulnerability in SeedProd Coming Soon Page, Under Construction & Maintenance Mode by SeedProd coming-soon allows Server Side Request Forgery.This issue affects Coming Soon Page, Under Construction & Maintenance Mode by SeedProd: from n/a through <= 6.19.8.
AnalysisAI
Server-side request forgery in SeedProd Coming Soon Page plugin versions through 6.19.8 allows high-privilege authenticated attackers to make arbitrary HTTP requests from the vulnerable WordPress server, potentially accessing internal resources, cloud metadata endpoints, or other services restricted to the server's network. The CVSS 5.5 score and low EPSS percentile (4%) reflect the requirement for administrative credentials, limiting real-world exploitability despite confirmed network accessibility.
Technical ContextAI
SeedProd Coming Soon Page is a WordPress plugin that provides maintenance mode and coming-soon page functionality. The vulnerability is rooted in CWE-918 (Server-Side Request Forgery), indicating the plugin fails to properly validate or restrict URLs passed to server-side HTTP requests. Attackers with administrative privileges (PR:H in CVSS) can inject crafted URLs that cause the WordPress server to initiate requests to internal systems, cloud metadata services (AWS EC2 IMDSv1, Azure Instance Metadata Service), or other network-restricted resources. The scope change (S:C) indicates the impact extends beyond the vulnerable component to other services or systems reachable from the compromised server.
RemediationAI
Update SeedProd Coming Soon Page plugin to version 6.19.9 or later immediately. WordPress administrators should navigate to Plugins → Installed Plugins, locate 'Coming Soon Page, Under Construction & Maintenance Mode by SeedProd,' and select 'Update Now.' Verify the plugin version matches 6.19.9 or above after patching. No workarounds are available for SSRF vulnerabilities; patching is the only reliable mitigation. Review and restrict WordPress administrator account access to only trusted personnel, as this vulnerability requires high-privilege authentication. For additional details, refer to the Patchstack vulnerability advisory at https://patchstack.com/database/Wordpress/Plugin/coming-soon/vulnerability/wordpress-coming-soon-page-under-construction-maintenance-mode-by-seedprod-plugin-6-19-8-server-side-request-forgery-ssrf-vulnerability?_s_id=cve.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-xfmf-hv5j-w87j