WordPress Plugin Vulnerabilities

WP MultiTasking <= 0.1.12 - Welcome Popup Update via CSRF

Description

The plugin does not have CSRF check when updating welcome popups, which could allow attackers to make logged admins perform such action via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
wp-multitasking
No known fix

References

CVE
CVE-2024-6853

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Norbert Hofmann
Submitter
Norbert Hofmann
Submitter website
https://www.linkedin.com/in/norbert-hofmann-53761417/
Verified
Yes
WPVDB ID
d1ce78c3-5d6c-465e-9ce8-6d92f7480333

Timeline

Publicly Published
2024-08-17 (about 1 year ago)
Added
2024-08-10 (about 1 year ago)
Last Updated
2024-08-10 (about 1 year ago)

Other

Published
Title
Published
2025-02-03
Title
OneStore Sites <= 0.1.1 - Cross-Site Request Forgery to Arbitrary Plugin Installation
Published
2021-09-15
Title
Compact WP Audio Player < 1.9.7 - Setting Change via CSRF
Published
2025-12-15
Title
Meks Quick Plugin Disabler <= 1.0 - Cross-Site Request Forgery
Published
2023-06-26
Title
WooCommerce Google Sheet Connector < 1.3.6 - Access Code Update via CSRF
Published
2024-02-27
Title
Envo's Elementor Templates & Widgets for WooCommerce < 1.4.5 - Arbitrary Theme Activation via CSRF