CVE-2024-54337 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the DevriX DX Dark Site plugin, affecting versions up to 1.0.1. CSRF vulnerabilities allow attackers to trick authenticated users into submitting unwanted requests to a web application, potentially performing actions without the user's consent. In this case, the CSRF flaw enables Stored Cross-Site Scripting (XSS), where malicious scripts injected by an attacker are stored persistently on the site and executed in the context of users' browsers. This combination is particularly dangerous because it leverages the trust of authenticated sessions to inject and execute malicious code, which can lead to session hijacking, data theft, or further compromise of the affected site. The vulnerability was reserved on December 2, 2024, and published on December 13, 2024. No CVSS score has been assigned yet, and no patches or known exploits have been reported at the time of publication. The affected product, DX Dark Site, is a WordPress plugin developed by DevriX, used to create dark mode versions of websites. The lack of a patch means that users must rely on mitigation strategies until an official fix is released. The absence of required user interaction beyond authentication and the potential for persistent XSS elevate the risk profile of this vulnerability.

If exploited, this vulnerability could allow attackers to perform unauthorized actions on behalf of authenticated users, potentially leading to persistent XSS attacks that compromise user sessions, steal sensitive information, or manipulate site content. The Stored XSS aspect means injected scripts remain on the site, affecting all users who access the compromised pages, thereby amplifying the impact. This can degrade user trust, lead to data breaches, and damage organizational reputation. For organizations relying on the DX Dark Site plugin, especially those with high traffic or sensitive user data, the risk of widespread compromise is significant. The vulnerability could also be leveraged as a foothold for further attacks within the network or to distribute malware. The absence of known exploits currently limits immediate widespread impact, but the potential for exploitation remains high once attackers develop proof-of-concept code.

Until an official patch is released, organizations should implement strict CSRF protections such as verifying anti-CSRF tokens on all state-changing requests within the DX Dark Site plugin. Review and harden user input validation and sanitization to prevent Stored XSS payloads from being saved or rendered. Limit user privileges to the minimum necessary to reduce the impact of compromised accounts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Monitor web application logs for unusual or suspicious requests that may indicate exploitation attempts. Consider temporarily disabling or replacing the DX Dark Site plugin if feasible, especially in high-risk environments. Stay updated with DevriX announcements for patches and apply them promptly once available. Conduct regular security audits and penetration testing focused on CSRF and XSS vectors in the affected environment.