CVE-2024-54332 identifies a security vulnerability in the WPFactory WP Currency Exchange Rates plugin for WordPress, specifically affecting versions up to 1.2.0. The vulnerability is a Cross-Site Request Forgery (CSRF) that allows attackers to trick authenticated administrators into submitting unauthorized requests. These unauthorized requests can lead to Stored Cross-Site Scripting (XSS), where malicious scripts are injected and stored within the plugin's data or settings. Stored XSS is particularly dangerous as it can execute in the context of any user viewing the affected pages, potentially leading to session hijacking, privilege escalation, or distribution of malware. The absence of a CVSS score indicates this is a newly published vulnerability with limited public analysis. The vulnerability arises because the plugin does not properly verify the origin of requests or implement adequate anti-CSRF tokens, allowing attackers to exploit the trust between the administrator's browser and the WordPress site. Since the plugin is used to display currency exchange rates, it is often installed on e-commerce, financial, and business websites, increasing the potential impact. No known exploits are publicly available yet, but the vulnerability's nature suggests it could be weaponized easily once details are widely known. The vulnerability was reserved on December 2, 2024, and published on December 16, 2024, indicating recent discovery and disclosure.

The impact of CVE-2024-54332 is significant for organizations using the WP Currency Exchange Rates plugin on WordPress sites. Exploitation can lead to Stored XSS, which compromises the confidentiality, integrity, and availability of the affected website. Attackers can hijack administrator sessions, manipulate site content, redirect users to malicious sites, or deploy malware. This can damage organizational reputation, lead to data breaches, and disrupt business operations, especially for e-commerce and financial service providers relying on accurate currency exchange information. Since the vulnerability requires an authenticated administrator session but no user interaction beyond that, attackers targeting compromised or socially engineered admin accounts can exploit it remotely. The lack of patch availability at the time of disclosure increases exposure. Organizations with high traffic or sensitive user data are at greater risk, as the consequences of XSS attacks can cascade to users and connected systems. Additionally, the stored nature of the XSS means the malicious payload persists, increasing the attack window and potential damage.

To mitigate CVE-2024-54332, organizations should immediately monitor for updates from WPFactory and apply patches as soon as they are released. Until a patch is available, administrators should restrict plugin usage to trusted personnel and limit administrator access to reduce the risk of CSRF exploitation. Implementing Web Application Firewall (WAF) rules to detect and block suspicious CSRF attempts and XSS payloads can provide interim protection. Site owners should also enforce strict Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks. Reviewing and hardening WordPress security settings, including disabling unnecessary plugins and enforcing strong authentication mechanisms such as multi-factor authentication (MFA) for administrators, will reduce attack surface. Regular security audits and monitoring for unusual admin activity or injected scripts in plugin data are recommended. Finally, educating administrators about phishing and social engineering risks can prevent attackers from gaining the authenticated session needed for exploitation.