A Cross‑Site Request Forgery flaw exists in RSTheme Ultimate Coming Soon & Maintenance. The vulnerability allows an attacker to trigger any action that the authenticated WordPress user can execute via the plugin, potentially changing site configuration, disabling the maintenance mode, or altering plugin settings without the user’s explicit consent. The weakness is identified as CWE‑352 and may compromise the integrity of the site’s configuration, and where attacker privileges are high, may also lead to further compromise of the underlying WordPress installation.

The issue affects all installations of RSTheme Ultimate Coming Soon & Maintenance up to and including version 1.0.9. WordPress sites that rely on this plugin for downtime messaging or site protection are therefore vulnerable.

With a CVSS score of 5.4 the flaw is considered moderate. The EPSS score of less than 1% indicates that, at present, the likelihood of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a crafted HTTP request sent from a malicious website or spam link that submits an authenticated request to the plugin without requiring a valid CSRF token. Successful exploitation would require the user to be logged in and may be easier against administrators or users with higher privileges.