Skip to main content

Exclusive Content Password Protect CVE-2024-52402

CRITICAL
Cross-Site Request Forgery (CSRF) (CWE-352)
2024-11-19 audit@patchstack.com
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:23 NVD
9.6 (CRITICAL)
CVE Published
Nov 19, 2024 - 17:15 nvd
N/A

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in gunghoinc Exclusive Content Password Protect exclusive-content-password-protect allows Upload a Web Shell to a Web Server.This issue affects Exclusive Content Password Protect: from n/a through <= 1.1.0.

AnalysisAI

Cross-Site Request Forgery in the gunghoinc Exclusive Content Password Protect WordPress plugin (versions up to and including 1.1.0) enables remote attackers to coerce an authenticated administrator into performing actions that result in uploading a web shell to the server. No public exploit identified at time of analysis, but the EPSS score of 14.17% (94th percentile) indicates elevated probability of exploitation relative to most CVEs. Successful exploitation yields full server compromise via attacker-controlled code execution.

Technical ContextAI

The affected component is a WordPress plugin (Exclusive Content Password Protect by gunghoinc) used to restrict access to content via passwords. The root cause is CWE-352 (Cross-Site Request Forgery), where the plugin's privileged actions - specifically those handling file uploads in the admin interface - lack anti-CSRF protections such as WordPress nonce validation (wp_verify_nonce) or origin/referer checks. Because state-changing requests are accepted without proof that the user intended them, an attacker who can lure a logged-in administrator to a malicious page can force the browser to submit a forged upload request authenticated by the admin's session cookie, leading to a web shell being written to the web server.

Affected ProductsAI

The vulnerability affects gunghoinc Exclusive Content Password Protect (a WordPress plugin) in all versions from initial release through and including version 1.1.0. No CPE strings were provided in the source data. The vulnerability was reported and tracked by Patchstack (audit@patchstack.com), and their advisory database (patchstack.com) is the authoritative source for vendor-side advisory details and confirmed fixed versions.

RemediationAI

No vendor-released patch identified at time of analysis - the provided data lists no fix version above 1.1.0. Site operators should consult the Patchstack advisory for the latest fixed-version status and, if no upgrade is available, deactivate and remove the Exclusive Content Password Protect plugin and replace it with a maintained alternative; this is the only reliable mitigation since the vulnerable code path is in the plugin itself. Compensating controls include restricting wp-admin access by IP allowlist via web server rules (side effect: legitimate admins outside the allowlist lose access), requiring admins to use a dedicated browser profile with no other tabs open when administering the site (operationally awkward but eliminates the cross-site request precondition), and deploying a WAF rule that blocks plugin upload requests lacking a valid same-origin Referer header (may break legitimate uploads if Referer is stripped by privacy tooling). Monitor wp-content/uploads and plugin directories for unexpected PHP files as a detection control.

Share

CVE-2024-52402 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy