CVE-2024-6853 – The WP MultiTasking WordPress plugin through ve... (How to Fix)

Q: What is the severity of CVE-2024-6853?

CVE-2024-6853 has a CVSS score of 4.3 (MEDIUM). The WP MultiTasking WordPress plugin through version 0.1.12 lacks CSRF protection when updating welcome popups. This allows attackers to trick logged-in administrators into performing unauthorized popup updates via malicious links or forms. WordPress sites using vulnerable versions of this plugin are affected.

📋 TL;DR

The WP MultiTasking WordPress plugin through version 0.1.12 lacks CSRF protection when updating welcome popups. This allows attackers to trick logged-in administrators into performing unauthorized popup updates via malicious links or forms. WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

WP MultiTasking WordPress Plugin

Versions: 0.1.12 and earlier

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires an authenticated administrator to be tricked into clicking a malicious link while logged in.

📦 What is this software?

Wp Multitasking by Ngothang

View all CVEs affecting Wp Multitasking →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify welcome popups to display malicious content, redirect users to phishing sites, or inject JavaScript that steals admin credentials or session cookies.

🟠

Likely Case

Attackers would modify popup content to display spam, phishing links, or unwanted advertisements to site visitors.

🟢

If Mitigated

With proper CSRF protections or plugin updates, the vulnerability is eliminated and no unauthorized popup modifications can occur.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires social engineering to trick an admin into clicking a malicious link while authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.1.13 or later

Vendor Advisory: https://wpscan.com/vulnerability/d1ce78c3-5d6c-465e-9ce8-6d92f7480333/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP MultiTasking plugin. 4. Click 'Update Now' if available, or manually update to version 0.1.13+. 5. Verify update completes successfully.

🔧 Temporary Workarounds

Disable WP MultiTasking Plugin

all

Temporarily deactivate the vulnerable plugin until patched.

wp plugin deactivate wp-multitasking

Implement CSRF Protection Manually

all

Add CSRF tokens to the welcome popup update functionality via custom code.

🧯 If You Can't Patch

Remove WP MultiTasking plugin entirely if not needed.
Restrict admin panel access to trusted IP addresses only.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for WP MultiTasking version 0.1.12 or earlier.

Check Version:

wp plugin get wp-multitasking --field=version

Verify Fix Applied:

Confirm WP MultiTasking plugin version is 0.1.13 or later in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

Unexpected modifications to welcome popup settings in WordPress logs.
Admin user actions from unusual IP addresses or user agents.

Network Indicators:

HTTP POST requests to wp-admin/admin-ajax.php with popup update actions without proper referrer headers.

SIEM Query:

source="wordpress.log" AND ("wp-multitasking" OR "welcome_popup") AND action="update"

📊 Metadata

CVE ID: CVE-2024-6853

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-352

Published: September 8, 2024

Last Updated: September 11, 2024

🔗 References

https://wpscan.com/vulnerability/d1ce78c3-5d6c-465e-9ce8-6d92f7480333/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6853, you might also want to check these: