The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.
https://www.wordfence.com/blog/2016/07/3-vulnerabilities-wp-maintenance-mode/