Cross-Site Request Forgery Vulnerability in WordPress Plugin Curtain by WordPress
CVE-2022-50955

5.3MEDIUM

Key Information:

Vendor

WordPress
Status
Curtain
Vendor
CVE Published:
10 May 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2022-50955?

The Curtain plugin for WordPress version 1.0.2 is susceptible to cross-site request forgery (CSRF), enabling attackers to manipulate site maintenance settings. By sending specially crafted requests, malicious actors can deceive authenticated administrators into toggling the maintenance mode state without proper nonce validation. This vulnerability poses a significant risk to site integrity and administration processes, potentially leading to unauthorized site changes.

Affected Version(s)

Curtain 1.0.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-50955 - Proof of Concept

References

https://www.exploit-db.com/exploits/50842
exploit
https://wordpress.org/plugins/curtain/
product
https://www.vulncheck.com/advisories/wordpress-plugin-cur...
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Hassan Khan Yusufzai - Splint3r7
.