FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

Exploit
CVE-2024-6855

Cross-Site Request Forgery (CSRF) (CWE-352)

Published: Sep 8, 2024 / Updated: 2mo ago

010
CVSS 4.3EPSS 0.04%Medium
CVE info copied to clipboard

Summary

The WP MultiTasking WordPress plugin through version 0.1.12 contains a vulnerability where it does not implement CSRF (Cross-Site Request Forgery) checks when updating exit popups. This lack of protection could allow attackers to manipulate admin actions through a CSRF attack.

Impact

If exploited, this vulnerability could allow attackers to trick logged-in administrators into performing unintended actions on the WordPress site, specifically related to updating exit popups. This could lead to unauthorized changes in the site's functionality or appearance, potentially impacting user experience or introducing malicious content. While the integrity impact is rated as LOW and there's no direct confidentiality or availability impact, the vulnerability could be used as part of a larger attack chain to compromise the website.

Exploitation

One proof-of-concept exploit is available on wpscan.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the latest information provided, a patch is not explicitly mentioned. The vulnerability affects WP MultiTasking plugin versions up to and including 0.1.12. Users should check for updates beyond this version and apply them if available.

Mitigation

1. Update the WP MultiTasking plugin to a version newer than 0.1.12 if available. 2. If an update is not available, consider temporarily disabling the WP MultiTasking plugin until a patched version is released. 3. Implement additional security measures such as Web Application Firewalls (WAF) that can help detect and prevent CSRF attacks. 4. Educate administrators about the risks of CSRF attacks and the importance of not clicking on unknown links while logged into the WordPress admin panel. 5. Regularly monitor WordPress and plugin updates, and apply security patches promptly when they become available. 6. Consider implementing additional authentication steps for critical admin actions if possible.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-6855. See article

Sep 8, 2024 at 6:03 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 8, 2024 at 6:04 AM
CVE Assignment

NVD published the first details for CVE-2024-6855

Sep 8, 2024 at 6:15 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.5%)

Sep 9, 2024 at 1:06 PM
CVSS

A CVSS base score of 6.5 has been assigned.

Sep 9, 2024 at 8:40 PM / nvd
CVSS

A CVSS base score of 4.3 has been assigned.

Sep 11, 2024 at 4:25 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Sep 11, 2024 at 7:11 PM
CVSS

A CVSS base score of 4.3 has been assigned.

Oct 28, 2024 at 9:28 PM / nvd
Static CVE Timeline Graph

Affected Systems

Ngothang/wp_multitasking
+null more

Exploits

https://wpscan.com/vulnerability/1124b07a-6274-49df-be77-615fda8f3a38/
+null more

Attack Patterns

CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
+null more

News

CVE-2024-6855 Exploit
inTheWild.io Exploits / 2mo
CVE Id : CVE-2024-6855 Published Date: 2024-09-11T16:21:00+00:00 The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check when updating exit popups, which could allow attackers to make logged admins perform such action via a CSRF attack inTheWild added a link to an exploit: https://wpscan.com/vulnerability/1124b07a-6274-49df-be77-615fda8f3a38/
Update Sun Sep 8 14:33:03 UTC 2024
Recent Commits to cve:main / 2mo
Update Sun Sep 8 14:33:03 UTC 2024
CVE-2024-6855
Newest CVEs from Tenable / 2mo
Medium Severity Description The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check when updating exit popups, which could allow attackers to make logged admins perform such action via a CSRF attack Read more at https://www.tenable.com/cve/CVE-2024-6855
NA - CVE-2024-6855 - The WP MultiTasking WordPress plugin through...
Security-Database Alerts Monitor : Last 100 Alerts / 2mo
The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check when updating exit popups, which could allow attackers to make logged admins perform such action via a CSRF attack
CVE-2024-6855 - WordPress MultiTasking CSRF Vulnerability
Latest Vulnerabilities / 2mo
CVE ID : CVE-2024-6855 Published : Sept. 8, 2024, 6:15 a.m. 17 minutes ago Description : The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check when updating exit popups, which could allow attackers to make logged admins perform such action via a CSRF attack Severity: 0.0 NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...
See 5 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:None
Integrity:Low
Availability Impact:None

Categories

CVSS 4.3(21798)CWE-352(6421)Ngothang()

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial