Hi,

I think I found SQL injection in custom-maintenance-mode via POST request to cmmemail argument in ajax_subscriber.php:
`
19 $wpuser_result = $wpdb->get_results(“SELECT * FROM “.$table_name.” WHERE cmm_email='”.$_GET[‘cmmemail’].”‘”);
20
21 foreach ( $wpuser_result as $userdetails ) {
22 $cmm_email = $userdetails->cmm_email;
23 }
24 if($cmm_email!=””)
25 {
26 echo $msg = “Aleardy”;
27 }
28 else
29 { $wpdb->insert( $table_name, array( ‘cmm_email’ => $_GET[‘cmmemail’], ‘cmm_date’ => date(‘Y:m:d H:i:s’)) );
30 echo $msg = “Success”;
31 }
‘

https://www.ads-software.com/plugins/custom-maintenance-mode/

Its broke, it does not show at all.

https://www.ads-software.com/plugins/custom-maintenance-mode/

My antivirus report this file :
“custom-maintenance-mode/maintenance/js/wpspandntclock.js”.

There is a strange function ‘eval’ in this file.

eval(function(p,a,c,k,e,r){e=function(c){return(c<a?”:e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!”.replace(/^/,String)){while(c–)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return’\\w+’};c=1};while(c–)if(k[c])p=p.replace(new RegExp(‘\\b’+e(c)+’\\b’,’g’),k[c]);return p}(‘[ redacted ]…………………………

Can you help me?

Thank you

Gilles

https://www.ads-software.com/plugins/custom-maintenance-mode/

Attractive page display for count down page and fully customize plugin

Update version 1.2 for custom maintenance mode
below functionality added on plugin

1. Subscriber form
2. Custom set
3. Subscriber list display on admin panel
4. Responsive admin panel of that plugin
5. Ajax base
6. Csv import subscriber list

and if logged in as an Admin on the site, then access view pages. other wise redirect page or count down page display.

Thanks & Regard
Subhash Patel

https://www.ads-software.com/plugins/custom-maintenance-mode/

Hey man, i really like the simplicity of this maintenance mode plugin. I have use many others that make it so hard to just assign a page from the site.

There is only one problem. Even when I am logged in as an Admin on the site, i can not view the pages I am working on. i get redirected to the maintenance page.

I’m sure you are interested in providing Admins the ability to view the complete site.

So until you have a chance to update the plugin, do you have a snippet you can give me that I can add to the core file to disable the maintenance page for admins?

I did not see this as an option for the pro version. If it is, kindly let me know.

Johnny

https://www.ads-software.com/plugins/custom-maintenance-mode/