Description
Unrestricted Upload of File with Dangerous Type vulnerability in NiteoThemes CMP – Coming Soon & Maintenance cmp-coming-soon-maintenance allows Using Malicious Files.This issue affects CMP – Coming Soon & Maintenance: from n/a through <= 4.1.14.
Published: 2025-04-04
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unrestricted upload flaw that allows an attacker to place arbitrary files on the WordPress server, including files that can be executed. This flaw can be leveraged to execute code because the plugin accepts files with dangerous types, falling under CWE‑434. Based on the description, it is inferred that the vulnerability is triggered by any user who can interact with the plugin’s upload interface, typically without authentication. The result is that an attacker can gain full control of the affected WordPress installation, impacting confidentiality, integrity, and availability.

Affected Systems

The affected product is NiteoThemes CMP – Coming Soon & Maintenance. All released versions up to and including 4.1.14 are vulnerable; newer releases are not affected.

Risk and Exploitability

The CVSS score of 9.1 indicates critical severity, while the EPSS score of <1% suggests a very low but non‑zero likelihood of exploitation at the time of analysis. The vulnerability can be triggered by any user who can access the plugin’s upload interface, typically without authentication. Once a malicious file is uploaded, the server will execute it, allowing the attacker to compromise the entire WordPress site. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 1, 2026 at 11:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CMP – Coming Soon & Maintenance to the latest version (>=4.1.15).
  • If an update is not immediately possible, disable the plugin’s upload capability by removing the upload form or using a security plugin to block file uploads for that plugin.
  • Configure the web server to prevent execution of uploaded files in the wp‑content/uploads directory, for example by adding an .htaccess rule that denies PHP execution.

Generated by OpenCVE AI on May 1, 2026 at 11:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9890 Unrestricted Upload of File with Dangerous Type vulnerability in NiteoThemes CMP – Coming Soon & Maintenance allows Using Malicious Files. This issue affects CMP – Coming Soon & Maintenance: from n/a through 4.1.13.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in NiteoThemes CMP – Coming Soon & Maintenance allows Using Malicious Files. This issue affects CMP – Coming Soon & Maintenance: from n/a through 4.1.13. Unrestricted Upload of File with Dangerous Type vulnerability in NiteoThemes CMP – Coming Soon & Maintenance cmp-coming-soon-maintenance allows Using Malicious Files.This issue affects CMP – Coming Soon & Maintenance: from n/a through <= 4.1.14.
Title WordPress CMP – Coming Soon & Maintenance plugin <= 4.1.13 - Remote Code Execution (RCE) vulnerability WordPress CMP – Coming Soon & Maintenance plugin <= 4.1.14 - Remote Code Execution (RCE) vulnerability
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Fri, 04 Apr 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in NiteoThemes CMP – Coming Soon & Maintenance allows Using Malicious Files. This issue affects CMP – Coming Soon & Maintenance: from n/a through 4.1.13.
Title WordPress CMP – Coming Soon & Maintenance plugin <= 4.1.13 - Remote Code Execution (RCE) vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:16.747Z

Reserved: 2025-04-04T10:00:22.653Z

Link: CVE-2025-32118

cve-icon Vulnrichment

Updated: 2025-04-04T19:53:58.332Z

cve-icon NVD

Status : Deferred

Published: 2025-04-04T16:15:19.413

Modified: 2026-04-23T15:28:35.553

Link: CVE-2025-32118

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:30:15Z

Weaknesses