CVE-2015-9424

Name of the Vulnerable Software and Affected Versions multicons plugin versions prior to 3.0

Description The issue concerns a CSRF with resultant XSS in the multicons plugin for WordPress. This can be exploited via the global url or admin url parameter in the /wp-admin/options-general.php?page=multicons%2Fmulticons.php API endpoint.

Recommendations For versions prior to 3.0, update to version 3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the /wp-admin/options-general.php?page=multicons%2Fmulticons.php endpoint to minimize the risk of exploitation. Avoid using the global url or admin url parameters in this endpoint until the issue is resolved.