CVE-2024-51642 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the ivan9146 Seo Free plugin, affecting all versions up to 1.4. Seo Free is a WordPress plugin designed to assist with SEO optimization. The vulnerability allows attackers to craft malicious requests that, when executed by an authenticated user, perform unauthorized actions on the website. This CSRF flaw is compounded by the presence of Stored Cross-Site Scripting (XSS), meaning that injected malicious scripts can be permanently stored on the affected site and executed in the context of users' browsers. The combination of CSRF and stored XSS can lead to session hijacking, defacement, or data theft. The vulnerability does not require user interaction beyond visiting a malicious page, increasing its risk. No CVSS score has been assigned yet, and no patches or known exploits are currently reported. The issue was reserved in late October 2024 and published in November 2024. The lack of patches means sites remain vulnerable until mitigations are applied. The plugin’s user base, primarily WordPress site administrators focusing on SEO, is the main affected group.

Organizations using the ivan9146 Seo Free plugin are at risk of unauthorized actions executed in the context of authenticated users, potentially leading to persistent XSS attacks. This can compromise the confidentiality and integrity of user data, enable session hijacking, and allow attackers to deface websites or inject malicious content. The availability of the website could also be impacted if attackers disrupt normal operations or inject disruptive scripts. Given that WordPress powers a significant portion of the web, many small to medium businesses and SEO-focused sites globally could be affected. The absence of patches increases exposure time, and the ease of exploitation (no user interaction beyond visiting a malicious page) elevates the threat level. The impact is particularly severe for sites with privileged users who have administrative capabilities, as attackers could gain control over site content and user sessions.

Until an official patch is released, organizations should implement strict anti-CSRF protections such as verifying CSRF tokens on all state-changing requests within the Seo Free plugin context. Input validation and output encoding should be enforced to mitigate stored XSS risks. Administrators should limit plugin usage to trusted users and restrict administrative privileges to minimize attack surface. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious CSRF and XSS payloads can provide interim protection. Regularly monitoring logs for unusual activities and educating users about phishing and suspicious links will reduce exploitation chances. Once patches become available, immediate application is critical. Additionally, consider disabling or replacing the Seo Free plugin if it is not essential, to reduce risk exposure.