CVE-2024-12322: WordPress ThePerfectWedding.nl CSRF Flaw

CVE-2024-12322 Overview

CVE-2024-12322 is a Cross-Site Request Forgery [CWE-352] vulnerability in the ThePerfectWedding.nl Widget plugin for WordPress, affecting all versions up to and including 2.8. The flaw stems from missing or incorrect nonce validation on the update_option function within the plugin's admin panel template. Unauthenticated attackers can craft forged requests that update the tpwKey option with attacker-controlled content, enabling stored Cross-Site Scripting (XSS) on the WordPress site. Exploitation requires a site administrator to click a malicious link or visit an attacker-controlled page while authenticated.

Critical Impact

Successful exploitation allows unauthenticated attackers to inject persistent JavaScript into the WordPress admin interface, potentially leading to administrator session hijacking and full site compromise.

Affected Products

• ThePerfectWedding.nl Widget plugin for WordPress
• All versions up to and including 2.8
• WordPress sites with the plugin installed and an authenticated administrator

Discovery Timeline

• 2025-01-07 - CVE-2024-12322 published to NVD
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2024-12322

Vulnerability Analysis

The ThePerfectWedding.nl Widget plugin exposes an admin panel template (tpwAdminPanelTemplate.php) that processes option updates without verifying a WordPress nonce token. WordPress nonces are the standard mechanism for confirming that a state-changing request originated from the legitimate administrative interface rather than an external site. Because the plugin omits this check, the server cannot distinguish between a legitimate administrator submission and a forged cross-origin request. An attacker who lures an authenticated administrator to a malicious page can have the browser issue the update on the administrator's behalf, persisting the payload in the tpwKey option. The stored value is later rendered without adequate output encoding, producing stored XSS in the admin context.

Root Cause

The root cause is missing CSRF protection on a privileged state-changing handler. The plugin calls update_option to persist the tpwKey value without invoking check_admin_referer or wp_verify_nonce against a nonce generated by wp_nonce_field. This violates the WordPress security model for administrative actions and is classified under CWE-352. The absence of contextual output escaping when the stored value is later rendered compounds the issue into a chained CSRF-to-stored-XSS condition.

Attack Vector

The attack is network-based and requires user interaction from a privileged administrator. An attacker hosts a page containing an auto-submitting HTML form or JavaScript that targets the plugin's admin update endpoint on the victim's WordPress site. When the administrator visits the attacker page while authenticated, the browser includes the WordPress session cookies and the forged request updates tpwKey with a malicious JavaScript payload. The payload executes in the administrator's browser context on every subsequent visit to pages rendering that option.

No verified exploit code is published. Technical details are available in the Wordfence Vulnerability Analysis and the affected source can be reviewed in the WordPress Plugin Trac source.

Detection Methods for CVE-2024-12322

Indicators of Compromise

• Unexpected values in the tpwKey WordPress option, particularly content containing <script>, onerror, onload, or encoded JavaScript payloads.
• Web server access logs showing POST requests to the plugin's admin template URL with an HTTP Referer header from an external domain.
• Administrator browser sessions executing unfamiliar outbound requests to attacker-controlled domains.
• New or modified administrator accounts created shortly after a suspicious admin login.

Detection Strategies

• Audit the wp_options table for the tpwKey value and compare against expected plugin configuration.
• Inspect HTTP request logs for state-changing POST requests to the plugin endpoint that lack a valid nonce parameter (_wpnonce).
• Hunt for anomalous JavaScript execution originating from WordPress admin pages by reviewing browser-side telemetry and Content Security Policy (CSP) violation reports.

Monitoring Recommendations

• Enable WordPress audit logging to capture option changes, plugin updates, and administrator activity.
• Forward web server and WordPress logs to a centralized SIEM for correlation of cross-origin POST requests with subsequent option modifications.
• Alert on creation of new administrator accounts or modifications to user roles following suspicious option changes.

How to Mitigate CVE-2024-12322

Immediate Actions Required

• Deactivate the ThePerfectWedding.nl Widget plugin until a patched release is confirmed installed.
• Inspect and sanitize the tpwKey option value, removing any HTML or JavaScript content.
• Rotate WordPress administrator passwords and invalidate active sessions if compromise is suspected.
• Review recent administrator activity and plugin installations for signs of follow-on actions.

Patch Information

A fix is reflected in the plugin source repository. Review the WordPress Changeset 3215206 for the corrective code and update the plugin to a version that incorporates this changeset. Confirm the installed version is later than 2.8 before re-enabling.

Workarounds

• Restrict administrator access to the WordPress dashboard by IP allowlist at the web server or WAF layer.
• Deploy a Web Application Firewall rule that blocks cross-origin POST requests to the plugin's admin template endpoint when no valid _wpnonce parameter is present.
• Enforce a strict Content Security Policy on the WordPress admin interface to limit inline script execution.
• Train administrators to avoid clicking unsolicited links while authenticated to WordPress.

# Example: query the tpwKey option value via WP-CLI to inspect for injected content
wp option get tpwKey

# Remove the option if a malicious value is found, then reconfigure via the plugin UI
wp option delete tpwKey