CVE-2024-6856 – This CSRF vulnerability in the WP MultiTasking ... (How to Fix)

Q: What is the severity of CVE-2024-6856?

CVE-2024-6856 has a CVSS score of 4.3 (MEDIUM). This CSRF vulnerability in the WP MultiTasking WordPress plugin allows attackers to trick authenticated administrators into unknowingly changing plugin settings. Attackers can craft malicious requests that execute when an admin visits a compromised page. All WordPress sites using vulnerable versions of this plugin are affected.

📋 TL;DR

This CSRF vulnerability in the WP MultiTasking WordPress plugin allows attackers to trick authenticated administrators into unknowingly changing plugin settings. Attackers can craft malicious requests that execute when an admin visits a compromised page. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

WP MultiTasking WordPress Plugin

Versions: 0.1.12 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the WP MultiTasking plugin enabled and an authenticated admin session.

📦 What is this software?

Wp Multitasking by Ngothang

View all CVEs affecting Wp Multitasking →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify plugin settings to disable security features, inject malicious code, or redirect users to phishing sites, potentially compromising the entire WordPress site.

🟠

Likely Case

Attackers could change plugin configurations to degrade functionality, inject ads or tracking scripts, or modify site behavior in ways that benefit the attacker.

🟢

If Mitigated

With proper CSRF protections and admin awareness, exploitation attempts would fail, leaving the plugin settings unchanged and the site secure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires social engineering to trick an admin into clicking a malicious link while authenticated. No authentication bypass is needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.1.13 or later

Vendor Advisory: https://wpscan.com/vulnerability/9700845e-89ca-4f9b-95f0-4b46a975b662/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP MultiTasking plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable WP MultiTasking Plugin

all

Temporarily deactivate the vulnerable plugin until patched.

wp plugin deactivate wp-multitasking

Implement CSRF Protection Manually

all

Add nonce verification to plugin settings update functions if you have development access.

🧯 If You Can't Patch

Restrict admin access to trusted networks only
Educate administrators about CSRF risks and safe browsing practices

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is 0.1.12 or earlier, you are vulnerable.

Check Version:

wp plugin get wp-multitasking --field=version

Verify Fix Applied:

After updating, verify plugin version shows 0.1.13 or later in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to wp-admin/admin.php?page=wp-multitasking settings endpoints from unexpected sources

Network Indicators:

HTTP requests with referer headers pointing to external domains accessing admin settings endpoints

SIEM Query:

source="wordpress.log" AND "wp-multitasking" AND "admin.php" AND (POST OR PUT)

📊 Metadata

CVE ID: CVE-2024-6856

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-352

Published: September 8, 2024

Last Updated: September 11, 2024

🔗 References

https://wpscan.com/vulnerability/9700845e-89ca-4f9b-95f0-4b46a975b662/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6856, you might also want to check these: