CVE-2020-36730 HIGH

CVE-2020-36730: CMP <= 3.8.1 - Missing Authorization

Vendor Niteo
Product CMP – Coming Soon & Maintenance Plugin by NiteoThemes
Weakness CWE-862 · Missing authorization
Published June 7, 2023
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

8.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

The CMP for WordPress is vulnerable to authorization bypass due to a missing capability check on the cmp_get_post_detail(), niteo_export_csv(), and cmp_disable_comingsoon_ajax() functions in versions up to, and including, 3.8.1. This makes it possible for unauthenticated attackers to read posts, export subscriber lists, and/or deactivate the plugin.

Key dates

02Disclosure timeline

June 7, 2023 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-31609 WordPress WPCargo Track & Trace plugin <= 8.0.2 - Insecure Direct Object References (IDOR) vulnerability CVE-2026-39651 WordPress Total Poll Lite plugin <= 4.12.0 - Broken Access Control vulnerability CVE-2025-13620 Wp Social Login and Register Social Counter <= 3.1.3 - Missing Authorization in Cache REST Endpoints to Social Counter Tampering CVE-2023-1299 Nomad Job Submitter Privilege Escalation Using Workload Identity CVE-2025-66112 WordPress Accessibility Toolkit by WebYes plugin <= 2.0.4 - Broken Access Control vulnerability