CVE-2022-50955

Vulnerability

Details

WordPress Plugin Curtain versions up to 1.0.2 contain a cross-site request forgery (CSRF) vulnerability in the options-general.php page. The plugin fails to validate a nonce (security token) when processing curtain parameters, specifically the mode parameter that controls site maintenance mode activation or deactivation [1][2]. This allows an attacker to forge requests that can alter the maintenance state without the administrator's knowledge.

Exploitation

An attacker can craft a malicious HTML form or link that submits a forged request to the vulnerable endpoint. The exploit requires no authentication from the attacker, but relies on social engineering to trick an authenticated WordPress administrator into executing the request (e.g., by visiting a crafted page or clicking a link). The example proof-of-concept uses a self-submitting form with empty nonce and a mode parameter set to 0 or 1 to toggle the maintenance state [2].

Impact and

Mitigation

Successful exploitation allows an attacker to activate or deactivate maintenance mode, which can cause denial of service (by making the site inaccessible to visitors) or disrupt normal operations. As of the latest information, no patched version of the Curtain plugin has been released, and the plugin may be unsupported. Administrators are advised to disable or remove the plugin if it is not essential, or implement additional security controls (e.g., custom nonce checks) as a workaround [1].