CVE-2024-12634 is a medium-severity Cross-Site Request Forgery (CSRF) vulnerability identified in multiple related WordPress plugins developed by PickPlugins, specifically Related Posts, Inline Related Posts, Contextual Related Posts, and Related Content By PickPlugins, affecting all versions up to and including 2.0.59. The root cause is the absence of nonce validation on a critical function within these plugins. Nonces in WordPress are security tokens used to verify that requests are intentional and originate from legitimate users. Without nonce validation, attackers can craft malicious URLs or web requests that, when clicked or executed by an authenticated site administrator, cause the site to perform unintended actions. This vulnerability does not require the attacker to be authenticated but does require user interaction, such as convincing an administrator to click a malicious link. The scope of impact includes potential injection of malicious scripts or unauthorized changes to plugin-related settings or content, affecting confidentiality and integrity but not availability. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) reflects network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity with no impact on availability. No public exploits have been reported yet, but the vulnerability poses a risk to WordPress sites using these plugins, especially those with administrative users who might be targeted via phishing or social engineering. The vulnerability was published on March 7, 2025, and no official patches or mitigation links have been provided at this time.

The primary impact of CVE-2024-12634 is the potential for unauthorized actions to be performed on WordPress sites using the affected PickPlugins plugins by exploiting the CSRF vulnerability. An attacker can trick an administrator into executing malicious requests, potentially leading to unauthorized changes in plugin settings, injection of malicious scripts, or manipulation of related post content. This can compromise the confidentiality and integrity of site data and user information. While availability is not directly affected, the injected scripts or unauthorized changes could facilitate further attacks such as persistent cross-site scripting (XSS) or privilege escalation. Organizations relying on these plugins may face reputational damage, data leakage, or site defacement if exploited. Since the vulnerability requires user interaction but no authentication, phishing campaigns targeting site administrators could be an effective attack vector. The lack of nonce validation indicates a fundamental security oversight that could be exploited at scale on vulnerable WordPress sites worldwide.

To mitigate CVE-2024-12634, organizations should immediately update the affected PickPlugins plugins to a patched version once available. In the absence of an official patch, site administrators should implement manual nonce validation in the plugin code for all functions that perform state-changing actions, ensuring that every request includes a valid nonce token verified server-side. Additionally, administrators should enforce strict user access controls, limiting administrative privileges to trusted users only. Employing web application firewalls (WAFs) with rules to detect and block CSRF attack patterns can provide temporary protection. Educating site administrators about phishing and social engineering risks is critical to reduce the likelihood of user interaction with malicious links. Regular security audits and monitoring for unusual administrative actions or content changes can help detect exploitation attempts early. Finally, consider disabling or replacing the affected plugins with alternatives that follow secure coding practices until a secure update is released.