CVE-2024-6244

HIGH

PZ Frontend Manager < 1.0.6 - Cross-Site Request Forgery

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2024-6244. PoCs published by Vuln Seeker Cybersecurity Team, Boshe99, Nxploited.

AI-analyzed exploit summary This exploit demonstrates a CSRF vulnerability in the PZ Frontend Manager WordPress plugin (version <= 1.0.5), allowing an attacker to change a user's avatar via a crafted HTML form. The PoC includes a base64-encoded image payload and a script to auto-submit the form.

Description

The PZ Frontend Manager WordPress plugin before 1.0.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

Exploits (3)

exploitdb WORKING POC
by Vuln Seeker Cybersecurity Team · webappsphp
https://www.exploit-db.com/exploits/52153

This exploit demonstrates a CSRF vulnerability in the PZ Frontend Manager WordPress plugin (version <= 1.0.5), allowing an attacker to change a user's avatar via a crafted HTML form. The PoC includes a base64-encoded image payload and a script to auto-submit the form.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: PZ Frontend Manager WordPress Plugin <= 1.0.5
Auth required
Prerequisites: Victim must be logged into WordPress · Attacker must trick victim into visiting a malicious page
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by Boshe99 · pythonpoc
https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2024-6244

The repository contains functional exploit code for CVE-2024-6244, targeting an arbitrary file upload vulnerability in the WordPress Plugin 3DPrint Lite 1.9.1.4. The exploit demonstrates the ability to upload a malicious file to a vulnerable target.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WordPress Plugin 3DPrint Lite 1.9.1.4
No auth needed
Prerequisites: Vulnerable WordPress site with 3DPrint Lite plugin installed · Network access to the target
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by Nxploited · poc
https://github.com/Nxploited/CVE-2024-6244

This PoC exploits a CSRF vulnerability in the WordPress plugin pz-frontend-manager (versions <= 1.0.5) to change a user's profile picture without their consent. It includes version checking, authentication, and a crafted request to upload an image via admin-ajax.php.

Classification
Working Poc 95%
Attack Type
Csrf
Complexity
Moderate
Reliability
Reliable
Target: pz-frontend-manager WordPress plugin <= 1.0.5
Auth required
Prerequisites: Valid WordPress credentials · Vulnerable plugin version installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/73ba55a5-6cff-40fc-9686-30c50f060732/

Scores

CVSS v3 8.8
EPSS 0.0264
EPSS Percentile 83.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-352
Status published
Products (1)
projectzealous/pz_frontend_manager < 1.0.6
Published Jul 22, 2024
Tracked Since Feb 18, 2026