PatchSiren cyber security CVE debrief
CVE-2026-24597 WpDevArt CVE debrief
Cross-Site Request Forgery (CSRF) vulnerability in the WpDevArt Organization chart WordPress plugin, affecting versions up to and including 1.7.5. The vulnerability allows attackers to perform unauthorized actions on behalf of authenticated users through crafted requests. The CVSS 3.1 score of 4.3 (Medium severity) reflects network attack vector, low attack complexity, no required privileges, but requires user interaction. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery). The CVE was published on May 25, 2026 and last modified on May 26, 2026. The NVD status is currently 'Deferred', indicating the entry may be awaiting additional analysis or vendor coordination. No known exploitation in ransomware campaigns has been reported (non-KEV).
- Vendor
- WpDevArt
- Product
- Organization chart
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
WordPress site administrators using the WpDevArt Organization chart plugin; security teams managing WordPress content management systems; developers maintaining WordPress plugins with administrative functionality
Technical summary
The Organization chart plugin for WordPress by WpDevArt contains a Cross-Site Request Forgery vulnerability in versions 1.7.5 and earlier. CSRF vulnerabilities occur when web applications do not properly validate that requests originate from authenticated users intentionally, allowing attackers to trick users into executing unwanted actions. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) indicates network-based attacks with low complexity, no privilege requirements, but requiring user interaction, resulting in low integrity impact with no confidentiality or availability impact. The vulnerability is rooted in CWE-352 (Cross-Site Request Forgery). Organizations using this plugin should prioritize updates and implement defense-in-depth CSRF protections.
Defensive priority
medium
Recommended defensive actions
- Update Organization chart plugin to version 1.7.6 or later if available; verify patch availability through the plugin developer or WordPress.org repository
- Implement CSRF protection verification on all state-changing administrative functions within WordPress installations using this plugin
- Apply principle of least privilege for WordPress user accounts to limit impact of potential CSRF exploitation
- Consider implementing additional CSRF tokens or nonce validation at the web application firewall level for administrative endpoints
- Monitor WordPress admin logs for unexpected configuration changes or chart modifications that may indicate exploitation attempts
- Review and validate all organization chart data and plugin settings for unauthorized modifications if running affected versions
Evidence notes
Vulnerability identified by Patchstack and reported to CVE with CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. Affected product confirmed as WordPress plugin 'Organization chart' by WpDevArt. Vendor attribution marked as 'Unknown Vendor' in source data with low confidence, requiring review—Patchstack is identified as the reference domain candidate.
Official resources
-
CVE-2026-24597 CVE record
CVE.org
-
CVE-2026-24597 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
public