CVE-2024-51650 identifies a security vulnerability in the Random Featured Post plugin developed by scottmydollarplancom, specifically versions up to and including 1.1.3. The vulnerability is a Cross-Site Request Forgery (CSRF) flaw that enables attackers to trick authenticated users into executing unwanted actions on their behalf. This CSRF vulnerability is compounded by the presence of stored Cross-Site Scripting (XSS), meaning that malicious scripts can be injected and persist within the plugin's stored data. When an authenticated user visits a maliciously crafted page or link, the attacker can exploit the CSRF to submit unauthorized requests that result in stored XSS payloads being saved and later executed in the context of the victim’s browser. This can lead to session hijacking, defacement, data theft, or further malware distribution. The plugin is typically used in WordPress environments to display random featured posts, and the vulnerability arises from insufficient validation of requests and lack of proper anti-CSRF tokens. No official patches or fixes have been linked yet, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved on October 30, 2024, and published on November 19, 2024, by Patchstack. The absence of a CVSS score necessitates an independent severity assessment based on the nature of the vulnerability and its potential impact.

The impact of CVE-2024-51650 is significant for organizations using the affected Random Featured Post plugin, especially those running WordPress sites with authenticated user sessions. Successful exploitation can lead to persistent stored XSS attacks, allowing attackers to execute arbitrary JavaScript in the context of site visitors or administrators. This can result in credential theft, session hijacking, unauthorized actions, defacement, or distribution of malware. The CSRF aspect means attackers can induce authenticated users to perform malicious actions unknowingly, increasing the attack surface. For organizations, this can lead to data breaches, loss of user trust, reputational damage, and potential regulatory penalties if sensitive data is compromised. Since WordPress powers a large portion of websites globally, the scope of affected systems could be broad, particularly for sites that have installed this plugin and not updated it. The lack of known exploits in the wild currently limits immediate widespread impact, but the vulnerability remains a critical risk if weaponized.

To mitigate CVE-2024-51650, organizations should immediately verify if their WordPress installations use the Random Featured Post plugin version 1.1.3 or earlier. If so, they should seek updates or patches from the plugin developer or consider disabling the plugin until a fix is available. Implementing Web Application Firewall (WAF) rules to detect and block CSRF and XSS attack patterns can provide temporary protection. Administrators should enforce strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Additionally, ensuring that all forms and state-changing requests include anti-CSRF tokens can prevent unauthorized requests. Regularly auditing plugins for security updates and minimizing the use of unnecessary plugins reduces attack surface. User education to avoid clicking suspicious links and monitoring logs for unusual activity related to the plugin can help detect exploitation attempts early. Finally, consider isolating or sandboxing plugin functionality where possible to limit the impact of any compromise.