Without CSRF Protection, Admins May Fall Prey to Survey Scams
CVE-2024-6022

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Contentlock
Vendor: CVE Published:; 12 July 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The ContentLock WordPress plugin versions up to 1.0.3 is susceptible to a Cross-Site Request Forgery (CSRF) vulnerability. This flaw arises from the absence of proper CSRF checks when administrators attempt to update the plugin settings. As a result, malicious actors can exploit this weakness to manipulate logged-in administrators into changing critical settings without their consent, potentially compromising the security of the WordPress site. Website owners are advised to apply necessary patches and implement security best practices to mitigate this risk.

Affected Version(s)

ContentLock 0 <= 1.0.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-6022 - Proof of Concept

References

https://wpscan.com/vulnerability/871a93b5-ec67-4fe0-bc39-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jul 12, 2024
👾
Exploit known to exist
Jul 12, 2024
Vulnerability published
Jul 12, 2024
Vulnerability Reserved
Jun 14, 2024

Credit

Norbert Hofmann

WPScan