CVE-2024-51655 identifies a security vulnerability in the microkid Custom Author URL WordPress plugin, specifically affecting versions up to and including 2.0.1. The vulnerability is a Cross-Site Request Forgery (CSRF) flaw that enables attackers to trick authenticated users into submitting unauthorized requests. This CSRF weakness is compounded by the ability to inject Stored Cross-Site Scripting (XSS) payloads via the author-slug functionality. Stored XSS occurs when malicious scripts are permanently stored on the target server (e.g., in a database) and executed in the browsers of users who visit the affected pages. The combination of CSRF and stored XSS means an attacker can cause an authenticated user to unknowingly perform actions that embed malicious scripts, which then execute in the context of the victim’s browser. This can lead to session hijacking, credential theft, defacement, or further exploitation of the affected site. The plugin is used to customize author URLs in WordPress, a widely deployed content management system, making the attack surface potentially broad. The vulnerability was reserved on October 30, 2024, and published on November 19, 2024, but no public exploits or patches are currently available. The absence of a CVSS score requires an independent severity assessment. Given the nature of CSRF combined with stored XSS, the threat is significant, especially for sites with multiple users or administrative roles. Attackers do not require direct authentication but rely on victims being logged in and visiting crafted URLs or pages. The vulnerability highlights the need for robust CSRF tokens and proper input validation/sanitization in web applications.

The impact of CVE-2024-51655 is considerable for organizations using the microkid Custom Author URL plugin in WordPress environments. Successful exploitation can lead to unauthorized actions performed with the privileges of authenticated users, including administrators. Stored XSS can compromise user sessions, steal cookies, redirect users to malicious sites, or execute arbitrary JavaScript in the context of the victim’s browser. This can result in data breaches, defacement, loss of user trust, and potential lateral movement within the network if administrative credentials are compromised. Since WordPress powers a significant portion of the web, including many business, government, and media sites, the vulnerability could affect a wide range of organizations globally. The lack of a patch at the time of disclosure increases the risk window. Attackers could weaponize this vulnerability in targeted phishing campaigns or automated mass exploitation once exploit code becomes available. The combined CSRF and stored XSS vector makes mitigation more complex and increases the likelihood of successful attacks, especially in environments where users have elevated privileges or where multiple users interact with the system.

To mitigate CVE-2024-51655, organizations should immediately monitor for updates from the microkid plugin vendor and apply patches as soon as they are released. Until a patch is available, implement strict CSRF protections such as verifying CSRF tokens on all state-changing requests related to author-slug modifications. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious CSRF and XSS payloads targeting the plugin’s endpoints. Conduct thorough input validation and output encoding on all user-supplied data, especially author-slug fields, to prevent script injection. Limit user privileges to the minimum necessary, reducing the impact of compromised accounts. Educate users to avoid clicking on suspicious links while authenticated to the affected sites. Regularly audit logs for unusual activities related to author URL changes. Consider disabling or replacing the plugin if immediate patching is not feasible. Finally, implement Content Security Policy (CSP) headers to reduce the impact of any injected scripts.