{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39464", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:41:57.169Z", "datePublished": "2026-04-08T08:30:06.040Z", "dateUpdated": "2026-04-08T08:30:06.040Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "coming-soon", "product": "Coming Soon Page, Under Construction & Maintenance Mode by SeedProd", "vendor": "SeedProd", "versions": [{"changes": [{"at": "6.19.9", "status": "unaffected"}], "lessThanOrEqual": "6.19.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "timomangcut | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:56.840Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in SeedProd Coming Soon Page, Under Construction & Maintenance Mode by SeedProd coming-soon allows Server Side Request Forgery.<p>This issue affects Coming Soon Page, Under Construction & Maintenance Mode by SeedProd: from n/a through <= 6.19.8.</p>"}], "value": "Server-Side Request Forgery (SSRF) vulnerability in SeedProd Coming Soon Page, Under Construction & Maintenance Mode by SeedProd coming-soon allows Server Side Request Forgery.This issue affects Coming Soon Page, Under Construction & Maintenance Mode by SeedProd: from n/a through <= 6.19.8."}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "Server Side Request Forgery"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:06.040Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/coming-soon/vulnerability/wordpress-coming-soon-page-under-construction-maintenance-mode-by-seedprod-plugin-6-19-8-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "title": "WordPress Coming Soon Page, Under Construction & Maintenance Mode by SeedProd plugin <= 6.19.8 - Server Side Request Forgery (SSRF) vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in SeedProd Coming Soon Page, Under Construction & Maintenance Mode by SeedProd coming-soon allows Server Side Request Forgery.This issue affects Coming Soon Page, Under Construction & Maintenance Mode by SeedProd: from n/a through <= 6.19.8."}], "id": "CVE-2026-39464", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:21.667", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/coming-soon/vulnerability/wordpress-coming-soon-page-under-construction-maintenance-mode-by-seedprod-plugin-6-19-8-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.19.8]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.9,*]"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "Coming Soon Page, Under Construction & Maintenance Mode by SeedProd", "source": "cna", "vendor": "SeedProd"}, "product": "coming_soon_page,_under_construction_&_maintenance_mode", "vendor": "seedprod"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:28:34.290874+00:00", "value": {"mitigation_remediation": ["Upgrade the SeedProd plugin to version 6.19.9 or later.", "If an upgrade is not immediately feasible, disable the Coming Soon feature or restrict the plugin to trusted administrators only.", "Verify and restrict any hard\u2011coded URLs in the plugin settings, ensuring they are validated or whitelisted."], "summary": {"action": "Patch Now", "impact": "Remote Data Exfiltration"}, "threat_synthesis": {"affected_systems": "SeedProd Coming Soon Page, Under Construction & Maintenance Mode plugin for WordPress, versions up to and including 6.19.8. All WordPress sites running this plugin are vulnerable.", "description_and_impact": "The SeedProd Coming Soon Page plugin contains a Server\u2011Side Request Forgery flaw that allows an attacker to supply arbitrary URLs through the plugin\u2019s interface, causing the server to perform HTTP requests on their behalf. This flaw can expose sensitive internal data, manipulate internal services, or provide a foothold for further exploitation.", "risk_and_exploitability": "No CVSS or EPSS rating is published, and the vulnerability is not listed in CISA\u2019s KEV catalog, indicating it has not yet been widely exploited. The likely attack vector is via the WordPress admin interface or exposed plugin endpoints that accept unvalidated URLs, allowing remote actors to target internal network resources."}}}}, "created": "2026-04-08T19:43:24.907564+00:00", "updated": "2026-04-09T08:22:18.811126+00:00", "vendors": ["seedprod", "seedprod$PRODUCT$coming_soon_page,_under_construction_&_maintenance_mode", "wordpress", "wordpress$PRODUCT$wordpress"]}