FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

Exploit
CVE-2024-6856

Cross-Site Request Forgery (CSRF) (CWE-352)

Published: Sep 8, 2024 / Updated: 2mo ago

010
CVSS 4.3EPSS 0.04%Medium
CVE info copied to clipboard

Summary

The WP MultiTasking WordPress plugin through version 0.1.12 lacks CSRF (Cross-Site Request Forgery) protection when updating its settings. This vulnerability could allow attackers to manipulate a logged-in admin into changing the plugin's settings through a CSRF attack.

Impact

If exploited, this vulnerability could lead to unauthorized changes in the WP MultiTasking plugin settings. An attacker could trick an authenticated administrator into unknowingly modifying the plugin configuration, potentially compromising the integrity of the WordPress site. While the direct impact is limited to low integrity impact, it could potentially be leveraged for further attacks or to manipulate the plugin's functionality in ways that benefit the attacker.

Exploitation

One proof-of-concept exploit is available on wpscan.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the latest information provided, a patch is not explicitly mentioned. The vulnerability affects WP MultiTasking WordPress plugin versions up to and including 0.1.12. Users should check for updates beyond this version and apply them if available.

Mitigation

1. Update the WP MultiTasking plugin to a version newer than 0.1.12 if available. 2. Implement strong CSRF protections across all WordPress admin functionalities. 3. Educate administrators about CSRF risks and safe browsing practices while logged into the WordPress admin panel. 4. Consider implementing additional security layers such as Web Application Firewalls (WAF) that can help detect and prevent CSRF attacks. 5. Regularly review and audit plugin settings to detect any unauthorized changes. 6. If updates are not available and the plugin is not critical, consider temporarily disabling it until a secure version is released.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-6856. See article

Sep 8, 2024 at 6:03 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 8, 2024 at 6:04 AM
CVE Assignment

NVD published the first details for CVE-2024-6856

Sep 8, 2024 at 6:15 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.5%)

Sep 9, 2024 at 1:06 PM
CVSS

A CVSS base score of 6.5 has been assigned.

Sep 9, 2024 at 8:40 PM / nvd
CVSS

A CVSS base score of 4.3 has been assigned.

Sep 11, 2024 at 4:25 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Sep 11, 2024 at 7:11 PM
CVSS

A CVSS base score of 4.3 has been assigned.

Oct 28, 2024 at 9:28 PM / nvd
Static CVE Timeline Graph

Affected Systems

Ngothang/wp_multitasking
+null more

Exploits

https://wpscan.com/vulnerability/9700845e-89ca-4f9b-95f0-4b46a975b662/
+null more

Attack Patterns

CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
+null more

News

CVE-2024-6856 Exploit
inTheWild.io Exploits / 2mo
CVE Id : CVE-2024-6856 Published Date: 2024-09-11T16:20:00+00:00 The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack inTheWild added a link to an exploit: https://wpscan.com/vulnerability/9700845e-89ca-4f9b-95f0-4b46a975b662/
Update Sun Sep 8 14:33:03 UTC 2024
Recent Commits to cve:main / 2mo
Update Sun Sep 8 14:33:03 UTC 2024
CVE-2024-6856
Newest CVEs from Tenable / 2mo
Medium Severity Description The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack Read more at https://www.tenable.com/cve/CVE-2024-6856
NA - CVE-2024-6856 - The WP MultiTasking WordPress plugin through...
Security-Database Alerts Monitor : Last 100 Alerts / 2mo
The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVE-2024-6856 - WordPress WP MultiTasking CSRF Vulnerability
Latest Vulnerabilities / 2mo
CVE ID : CVE-2024-6856 Published : Sept. 8, 2024, 6:15 a.m. 17 minutes ago Description : The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack Severity: 0.0 NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...
See 5 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:None
Integrity:Low
Availability Impact:None

Categories

CVSS 4.3(21798)CWE-352(6421)Ngothang()

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial