CVE-2026-24597

Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in the Organization chart plugin by WpDevArt for WordPress, versions from n/a through 1.7.5. The plugin fails to validate or sanitize requests, allowing an attacker to craft malicious requests that, when triggered by a privileged user, perform unintended actions. [1]

Exploitation

An attacker can craft a malicious link or form and trick a logged-in administrator or other privileged user into clicking it. No authentication is required for the attacker, but the victim must be authenticated and have sufficient privileges. The attacker does not need any special network position beyond being able to deliver the malicious payload (e.g., via email, social engineering, or embedding on a site). [1]

Impact

Successful exploitation allows the attacker to force the victim to perform actions under their current authentication, such as changing plugin settings, adding or deleting data, or other administrative actions. The impact is limited to the privileges of the victim user. [1]

Mitigation

The vulnerability is fixed in version 1.7.6, released on an unknown date but referenced in the Patchstack advisory. Users should update to 1.7.6 or later. If unable to update, consider disabling the plugin or implementing additional CSRF protections. The vulnerability is not listed on CISA's KEV as of the publication date. [1]