The XSS flaw allows attackers to inject JavaScript or HTML code into the blog front-end of WordPress sites running the “Coming Soon Page & Maintenance Mode” plugin version 1.7.8 or below.
This causes the compromised WordPress sites to display unwanted popup ads and redirect visitors to malicious landing pages.
READ MORE AT https://cyware.com/news/attackers-abuse-xss-vulnerability-in-wordpress-plugin-to-display-malverts-1a533b02