CVE-2024-24802 Overview
CVE-2024-24802 is a Cross-Site Request Forgery (CSRF) vulnerability in the John Tendik JTRT Responsive Tables plugin for WordPress. The flaw affects all plugin versions from initial release through 4.1.9. The weakness is tracked under [CWE-352] and was published to the National Vulnerability Database on February 21, 2024.
An attacker can craft a malicious web page that, when visited by an authenticated WordPress administrator, triggers unauthorized state-changing actions on the target site. Successful exploitation can compromise confidentiality, integrity, and availability of the affected WordPress installation.
Critical Impact
Exploitation enables unauthorized administrative actions on WordPress sites running JTRT Responsive Tables through 4.1.9, with high impact across confidentiality, integrity, and availability.
Affected Products
- JTRT Responsive Tables WordPress plugin versions through 4.1.9
- WordPress sites with an authenticated administrator using the plugin
- Installations that have not applied the vendor-provided fix
Discovery Timeline
- 2024-02-21 - CVE-2024-24802 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2024-24802
Vulnerability Analysis
The vulnerability stems from missing or insufficient CSRF protections in plugin request handlers. JTRT Responsive Tables fails to validate that state-changing HTTP requests originate from the intended user session. WordPress provides nonce mechanisms through wp_nonce_field() and check_admin_referer(), but the plugin does not enforce these checks consistently on privileged endpoints.
The attack requires user interaction, typically tricking a logged-in administrator into clicking a crafted link or loading a malicious page. The browser then submits the forged request with the administrator's existing session cookies. The result is unauthorized configuration changes or data manipulation through the plugin's interface.
Root Cause
The root cause is the absence of anti-CSRF tokens on sensitive request handlers within the plugin. Without nonce validation, the server cannot distinguish a legitimate administrator action from a request forged by a third-party site. This is a classic [CWE-352] weakness pattern in WordPress plugins.
Attack Vector
Attack execution is network-based with low complexity and requires no attacker privileges. The attacker hosts a malicious HTML page containing an auto-submitting form or image tag targeting the vulnerable plugin endpoint. When an authenticated administrator visits the page, the browser submits the request along with valid authentication cookies. The plugin processes the action as if it were intentional, allowing the attacker to alter plugin data or trigger administrative functions.
No verified public exploit code is currently associated with this CVE. The vulnerability mechanism is described in the Patchstack CSRF Vulnerability Advisory.
Detection Methods for CVE-2024-24802
Indicators of Compromise
- Unexpected modifications to JTRT Responsive Tables data or plugin settings without a corresponding administrator session log entry
- HTTP POST requests to plugin endpoints with Referer headers pointing to external, untrusted domains
- Administrator account activity originating from atypical IP addresses or user agents shortly before configuration changes
Detection Strategies
- Inspect web server access logs for cross-origin requests targeting wp-admin/admin.php or admin-ajax.php actions associated with the plugin
- Compare WordPress audit logs against expected administrator workflows to surface unauthorized plugin operations
- Deploy a Web Application Firewall (WAF) rule that flags state-changing requests lacking valid WordPress nonces
Monitoring Recommendations
- Enable a WordPress activity logging plugin to record administrative actions and changes to plugin-managed tables
- Forward WordPress and web server logs to a centralized SIEM for correlation with browsing telemetry from administrator workstations
- Alert on anomalous referrer patterns or rapid sequences of plugin configuration changes following an administrator click event
How to Mitigate CVE-2024-24802
Immediate Actions Required
- Update JTRT Responsive Tables to a release later than 4.1.9 once the vendor publishes a fixed version
- Audit existing plugin-managed tables and settings for unauthorized modifications
- Require administrators to log out of WordPress sessions before browsing untrusted sites
Patch Information
Review the Patchstack CSRF Vulnerability Advisory for the latest patch status. If no upstream fix is available, consider replacing the plugin or applying virtual patching via a WAF until a vendor update is released.
Workarounds
- Restrict access to /wp-admin/ by IP allowlist to reduce exposure of administrator sessions
- Deploy a WAF rule that blocks requests to plugin endpoints when the Referer or Origin header does not match the site domain
- Use browser session isolation, such as a dedicated browser profile for WordPress administration, to limit cross-site request abuse
- Enforce SameSite cookie attributes on WordPress authentication cookies where supported
# Example WAF rule (ModSecurity) blocking cross-origin POSTs to admin-ajax.php
SecRule REQUEST_METHOD "@streq POST" \
"chain,deny,status:403,id:1024802,msg:'Blocked cross-origin admin-ajax request'"
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
"chain"
SecRule REQUEST_HEADERS:Origin "!@beginsWith https://your-site.example" \
"t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
