CVE-2024-12206 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress Header Builder Plugin – Pearl, versions up to and including 1.3.8. The root cause is the absence or improper implementation of nonce validation on the stm_header_builder administrative page. Nonces in WordPress are security tokens used to verify that requests originate from legitimate users and not from malicious third parties. Without proper nonce checks, an attacker can craft a malicious request that, when executed by an authenticated administrator (for example, by clicking a specially crafted link), causes the deletion of arbitrary headers configured via the plugin. This vulnerability does not require the attacker to be authenticated but does require the administrator's interaction, making social engineering a key component of exploitation. The CVSS v3.1 base score is 4.3, reflecting a network attack vector, low attack complexity, no privileges required, but requiring user interaction, and impacting integrity only. The vulnerability does not affect confidentiality or availability. No patches or exploit code are currently publicly available, and no known active exploitation has been reported. The plugin is widely used in WordPress sites for header customization, making the vulnerability relevant to many websites that rely on this plugin for their header management.

The primary impact of this vulnerability is the unauthorized modification of website header configurations, which can affect the integrity of the site’s presentation and potentially disrupt functionality dependent on header settings. While it does not directly compromise sensitive data or availability, unauthorized header deletion can degrade user experience, break site layouts, or interfere with security headers that protect against other attacks (e.g., Content Security Policy headers). For organizations, this could lead to reputational damage, increased support costs, and potential secondary attacks if security headers are removed or altered. Since exploitation requires tricking an administrator, the risk is higher in environments where administrators frequently interact with untrusted content or links. The vulnerability affects all sites using the vulnerable versions of the plugin, which may include small businesses, blogs, and larger enterprises relying on WordPress for their web presence.

To mitigate this vulnerability, organizations should immediately update the WordPress Header Builder Plugin – Pearl to a version that includes proper nonce validation once available. In the absence of an official patch, site administrators can implement manual nonce checks on the stm_header_builder page by customizing the plugin code or using security plugins that enforce nonce validation on administrative actions. Additionally, administrators should be trained to avoid clicking on suspicious links and implement multi-factor authentication (MFA) to reduce the risk of session hijacking. Web Application Firewalls (WAFs) can be configured to detect and block suspicious POST requests targeting the header builder endpoints. Regular security audits and monitoring of administrative actions can help detect unauthorized changes early. Finally, limiting administrative access to trusted networks and users reduces the attack surface for CSRF attacks.