Skip to main content

Coming Soon Page Under Construction Maintenance Mode By Seedprod CVE-2026-39464

| EUVDEUVD-2026-20135 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-08 Patchstack GHSA-xfmf-hv5j-w87j
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:39 vuln.today
CVSS changed
Apr 14, 2026 - 16:22 NVD
5.5 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20135
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Server-Side Request Forgery (SSRF) vulnerability in SeedProd Coming Soon Page, Under Construction & Maintenance Mode by SeedProd coming-soon allows Server Side Request Forgery.This issue affects Coming Soon Page, Under Construction & Maintenance Mode by SeedProd: from n/a through <= 6.19.8.

AnalysisAI

Server-side request forgery in SeedProd Coming Soon Page plugin versions through 6.19.8 allows high-privilege authenticated attackers to make arbitrary HTTP requests from the vulnerable WordPress server, potentially accessing internal resources, cloud metadata endpoints, or other services restricted to the server's network. The CVSS 5.5 score and low EPSS percentile (4%) reflect the requirement for administrative credentials, limiting real-world exploitability despite confirmed network accessibility.

Technical ContextAI

SeedProd Coming Soon Page is a WordPress plugin that provides maintenance mode and coming-soon page functionality. The vulnerability is rooted in CWE-918 (Server-Side Request Forgery), indicating the plugin fails to properly validate or restrict URLs passed to server-side HTTP requests. Attackers with administrative privileges (PR:H in CVSS) can inject crafted URLs that cause the WordPress server to initiate requests to internal systems, cloud metadata services (AWS EC2 IMDSv1, Azure Instance Metadata Service), or other network-restricted resources. The scope change (S:C) indicates the impact extends beyond the vulnerable component to other services or systems reachable from the compromised server.

RemediationAI

Update SeedProd Coming Soon Page plugin to version 6.19.9 or later immediately. WordPress administrators should navigate to Plugins → Installed Plugins, locate 'Coming Soon Page, Under Construction & Maintenance Mode by SeedProd,' and select 'Update Now.' Verify the plugin version matches 6.19.9 or above after patching. No workarounds are available for SSRF vulnerabilities; patching is the only reliable mitigation. Review and restrict WordPress administrator account access to only trusted personnel, as this vulnerability requires high-privilege authentication. For additional details, refer to the Patchstack vulnerability advisory at https://patchstack.com/database/Wordpress/Plugin/coming-soon/vulnerability/wordpress-coming-soon-page-under-construction-maintenance-mode-by-seedprod-plugin-6-19-8-server-side-request-forgery-ssrf-vulnerability?_s_id=cve.

Share

CVE-2026-39464 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy