WordPress Plugin Vulnerabilities

Curtain < 1.0.2 - Unauthenticated Maintenance Mode Switch

Description

The plugin does not have authorisation and CSRF checks in place when switching maintenance modes, which could allow unauthenticated attackers change maintenance modes

Affects Plugins

Plugin icon
curtain
Fixed in 1.0.2

References

URL
https://plugins.trac.wordpress.org/changeset/1107286

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.2 (high)

Miscellaneous

Verified
Yes
WPVDB ID
1dbb0b1c-938b-4f82-af7d-9a7bc00bdc26

Timeline

Publicly Published
2015-03-07 (about 11 years ago)
Added
2022-03-30 (about 4 years ago)
Last Updated
2022-03-30 (about 4 years ago)

Other

Published
Title
Published
2025-04-18
Title
Booking and Rental Manager < 2.3.7 - Missing Authorization
Published
2022-02-15
Title
Relevanssi - Subscriber+ Unauthorised AJAX Calls
Published
2024-08-19
Title
GiveWP – Donation Plugin and Fundraising Platform < 3.14.0 - Missing Authorization to Limited Information Exposure
Published
2024-02-12
Title
WP Media folder < 5.7.3 - Missing Authorization to Authenticated(Subscriber+) Title Modification
Published
2025-10-19
Title
WebinarPress <= 1.33.28 - Missing Authorization