WordPress Plugin Vulnerabilities

WP MultiTasking <= 0.1.12 - Header/Footer/Body Script Update via CSRF

Description

The plugin does not have CSRF check when updating its Header, Footer and Body Script Settings, which could allow attackers to make logged admins perform such action via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
wp-multitasking
No known fix

References

CVE
CVE-2024-6857

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Norbert Hofmann
Submitter
Norbert Hofmann
Submitter website
https://www.linkedin.com/in/norbert-hofmann-53761417/
Verified
Yes
WPVDB ID
97636602-2dd0-465b-b6dc-acb42147edb3

Timeline

Publicly Published
2025-03-19 (about 10 months ago)
Added
2025-03-19 (about 10 months ago)
Last Updated
2025-03-19 (about 10 months ago)

Other

Published
Title
Published
2023-07-10
Title
WooCommerce Pre-Orders < 2.0.3 - Unauthorised Actions via CSRF
Published
2024-02-22
Title
Colibri Page Builder < 1.0.260 - Import Images, Delete Post, Save Theme Data via CSRF
Published
2025-09-22
Title
WP Content Protection <= 1.3 - Cross-Site Request Forgery
Published
2025-09-05
Title
Developer Tools Blocker <= 3.2.1 - Cross-Site Request Forgery
Published
2025-11-21
Title
SupportCandy < 3.4.2 - Cross-Site Request Forgery