CVE-2024-51637 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the sroyalty Admin SMS Alert plugin, specifically affecting versions up to and including 1.1.0. The vulnerability allows an attacker to trick an authenticated administrator into executing unintended actions by sending crafted requests without their consent. This CSRF flaw is compounded by the presence of Stored Cross-Site Scripting (XSS), meaning that malicious scripts can be injected and stored persistently within the application’s administrative interface. When an administrator interacts with the compromised interface, the injected scripts execute, potentially leading to session hijacking, credential theft, or further compromise of the administrative environment. The vulnerability does not require public authentication bypass but does require the victim to be logged in with administrative privileges and to interact with a malicious webpage or link. No CVSS score has been assigned yet, and no public exploits have been reported, but the combination of CSRF and stored XSS represents a significant risk vector. The plugin is typically used in content management or alerting systems where SMS notifications are managed, making the administrative interface a critical security boundary. The lack of available patches at the time of publication means that affected users must rely on interim mitigations. The vulnerability was reserved on October 30, 2024, and published on November 19, 2024, by Patchstack, indicating recent discovery and disclosure.

The impact of CVE-2024-51637 is significant for organizations using the sroyalty Admin SMS Alert plugin. Successful exploitation could allow attackers to perform unauthorized administrative actions via CSRF, potentially changing SMS alert configurations or injecting malicious scripts that persist in the system. The stored XSS component can lead to session hijacking, credential theft, or further malware deployment, compromising the confidentiality, integrity, and availability of the administrative environment. This could disrupt critical alerting functions, leading to missed or manipulated notifications, which may affect operational security and incident response. The requirement for administrator authentication limits the attack surface but does not eliminate risk, especially in environments with multiple administrators or where phishing attacks can lure admins to malicious sites. The absence of known exploits reduces immediate widespread impact but does not preclude targeted attacks. Organizations relying on this plugin for security or operational alerts face increased risk of privilege escalation and persistent compromise until mitigations or patches are applied.

To mitigate CVE-2024-51637, organizations should immediately assess their use of the sroyalty Admin SMS Alert plugin and consider disabling it if feasible until a patch is released. Implement strict CSRF protections such as synchronizer tokens or double-submit cookies in the administrative interface to prevent unauthorized request forgery. Conduct thorough input validation and output encoding to mitigate stored XSS risks, ensuring that any user-supplied data is sanitized before storage and rendering. Limit administrative access to trusted networks and users, and enforce multi-factor authentication to reduce the risk of compromised credentials. Monitor administrative logs for unusual activity that may indicate exploitation attempts. Educate administrators about phishing and social engineering risks that could lead to CSRF exploitation. Stay updated with vendor advisories and apply patches promptly once available. Additionally, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable endpoints.