Exploit/Advisories
Published on March 31st, 2022 📆 | 3476 Views ⚑
0WordPress Curtain 1.0.2 Cross Site Request Forgery – Torchsec
https://www.ispeech.org/text.to.speech
# Exploit Title: WordPress Plugin curtain 1.0.2 - CSRF
# Date: 29-03-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/curtain/
# Version: 1.0.2
# Tested on: Firefox
# Contact me: h [at] spidersilk.com
# Date: 29-03-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/curtain/
# Version: 1.0.2
# Tested on: Firefox
# Contact me: h [at] spidersilk.com
## Summary:
Cross site forgery vulnerability has been identified in curtain
WordPress plugin that allows an attacker to to activate or dedicative
sites maintenance mode.
## Vulnerable URL:
http://localhost:10003/wp-admin/options-general.php?page=curtain&_wpnonce=&mode=
## CSRF POC Exploit
```
```
- To deactivate change mode value to 0
Gloss