CVE-2024-54436 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the milordk Jet Footer Code plugin, specifically affecting versions up to 1.4. The vulnerability enables an attacker to craft malicious requests that, when executed by an authenticated user, result in the injection of stored malicious scripts into the website's footer section. This stored XSS can then be used to execute arbitrary JavaScript in the context of the victim's browser, potentially stealing session cookies, performing actions on behalf of the user, or redirecting users to malicious sites. The root cause is the lack of proper CSRF protections such as nonce validation or token verification in the plugin's request handling. Since the vulnerability allows stored XSS, the impact extends beyond a single request and can affect all visitors to the compromised site. The plugin is commonly used in WordPress environments to customize footer content, making it a target for attackers seeking to leverage trusted sites for broader attacks. No CVSS score has been assigned yet, and no patches or exploits are currently publicly available, but the vulnerability is confirmed and published as of December 2024.

The primary impact of this vulnerability is the potential for attackers to inject persistent malicious scripts into websites using the Jet Footer Code plugin, compromising the confidentiality and integrity of user sessions and data. This can lead to session hijacking, credential theft, defacement, or distribution of malware to site visitors. Organizations running affected versions risk reputational damage, loss of user trust, and potential regulatory consequences if user data is compromised. Since the vulnerability exploits CSRF to achieve stored XSS, it can affect any authenticated user with sufficient privileges to modify footer code, potentially including site administrators. The widespread use of WordPress and the plugin in various sectors increases the attack surface globally. Although no active exploitation is reported, the ease of exploitation and the persistent nature of stored XSS make this a high-risk vulnerability if left unmitigated.

Organizations should immediately verify if they are using the milordk Jet Footer Code plugin version 1.4 or earlier and plan to update to a patched version once available. In the absence of an official patch, administrators should restrict access to footer code editing to trusted users only and implement Web Application Firewall (WAF) rules to detect and block CSRF attempts targeting the plugin's endpoints. Employing security headers such as Content Security Policy (CSP) can help mitigate the impact of stored XSS by restricting script execution sources. Additionally, site owners should monitor logs for unusual POST requests and audit footer code changes for unauthorized modifications. Educating users about phishing and social engineering risks can reduce the likelihood of successful CSRF attacks. Finally, plugin developers and maintainers should implement proper CSRF tokens and nonce validation in all state-changing requests to prevent exploitation.