CVE-2022-50955 Wordpress CVE debrief

Who should care

WordPress site administrators, security teams managing plugins, and anyone running or auditing the Curtain plugin should pay attention, especially if maintenance-mode changes are sensitive to uptime or availability.

Technical summary

The vulnerability is identified as CWE-352 (CSRF). According to the supplied description, the plugin accepts requests on options-general.php with curtain parameters that can activate or deactivate maintenance mode without proper nonce validation, allowing a forged request to succeed if an authenticated administrator is induced to submit it.

Defensive priority

Medium. The impact is limited to unauthorized maintenance-mode changes, but that can still disrupt availability or be used for nuisance or operational abuse on affected WordPress sites.

Recommended defensive actions

• Check whether the Curtain plugin is installed and in use on any WordPress instance.
• Remove or disable the plugin if it is not required.
• If the plugin must remain installed, verify whether a patched version is available and deploy it as soon as possible.
• Review WordPress admin controls for CSRF protections, including nonce validation on plugin settings actions.
• Monitor for unexpected maintenance-mode toggles and review recent administrator actions around options-general.php requests.
• Restrict administrative access to trusted accounts and reduce exposure of admin sessions where practical.

Evidence notes

The supplied NVD record and linked VulnCheck advisory describe a CSRF issue in Curtain 1.0.2 that can toggle maintenance mode via forged requests to options-general.php without valid nonce validation. The supplied corpus also identifies CWE-352 and a Medium CVSS 5.3 score. The CVE record in the supplied feed is dated 2026-05-10; that date is used only as the record timing context.

Official resources