CVE-2024-30454 Overview
CVE-2024-30454 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the VeronaLabs WP SMS plugin for WordPress. The flaw exists in all versions up to and including 6.6.2. An attacker can craft a malicious web page that, when visited by an authenticated administrator, triggers unauthorized state-changing actions within the WP SMS plugin. Successful exploitation impacts confidentiality, integrity, and availability of the affected WordPress site. The vulnerability is classified under [CWE-352] and requires user interaction over the network.
Critical Impact
An authenticated administrator visiting an attacker-controlled page can have plugin actions executed on their behalf, leading to compromise of WP SMS plugin functionality and site integrity.
Affected Products
- VeronaLabs WP SMS plugin for WordPress
- All versions from n/a through 6.6.2
- Free edition distributed via the WordPress plugin directory
Discovery Timeline
- 2024-03-29 - CVE-2024-30454 published to the National Vulnerability Database
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2024-30454
Vulnerability Analysis
The WP SMS plugin fails to validate the origin and authenticity of state-changing HTTP requests. The plugin does not enforce anti-CSRF tokens (WordPress nonces) on sensitive administrative endpoints. An attacker exploits this by tricking an authenticated administrator into loading a crafted page or clicking a malicious link. The browser then submits an authenticated request to the WordPress site, and the plugin processes it as legitimate.
Because WP SMS handles SMS gateway configuration, subscriber data, and outbound messaging, abuse of plugin actions can alter integration credentials, modify subscriber records, or trigger messaging functionality. The attacker requires no prior authentication but does rely on social engineering to induce administrator interaction.
Root Cause
The root cause is missing or insufficient CSRF protection on privileged plugin endpoints. WordPress provides wp_nonce_field() and check_admin_referer() to mitigate CSRF, but WP SMS versions up to 6.6.2 do not consistently apply these controls. This omission allows cross-origin requests with valid authentication cookies to invoke administrative functionality.
Attack Vector
Exploitation occurs over the network and requires user interaction from a privileged WordPress user. The attacker hosts a malicious page containing a hidden form or image element that automatically submits an HTTP request to the target WordPress site. If the victim is logged in as an administrator, the browser attaches session cookies and the plugin executes the embedded action.
See the Patchstack WP SMS CSRF Vulnerability advisory for technical details on the affected endpoints.
Detection Methods for CVE-2024-30454
Indicators of Compromise
- Unexpected modifications to WP SMS plugin settings, including gateway credentials or subscriber lists
- Outbound SMS messages or campaign records that do not correlate with legitimate administrator activity
- HTTP POST requests to WP SMS admin handlers originating from external Referer headers
- New or modified subscriber entries appearing without corresponding admin sessions in audit logs
Detection Strategies
- Inspect web server access logs for POST requests to wp-admin/admin.php?page=wp-sms* endpoints where the Referer is absent or points to an external domain
- Correlate WP SMS configuration changes with WordPress user session activity to identify out-of-band modifications
- Deploy a web application firewall rule that flags state-changing requests to WP SMS handlers lacking a valid _wpnonce parameter
Monitoring Recommendations
- Enable WordPress audit logging to capture plugin setting changes and administrator action history
- Monitor SMS gateway billing and traffic for anomalous spikes that may indicate abuse via CSRF
- Alert on administrator browser sessions that issue requests immediately after navigating to untrusted external sites
How to Mitigate CVE-2024-30454
Immediate Actions Required
- Update the WP SMS plugin to a version later than 6.6.2 as soon as a fixed release is available from VeronaLabs
- Audit WP SMS configuration, subscriber data, and recent outbound messages for unauthorized changes
- Restrict WordPress administrator accounts and require those users to log out of admin sessions before browsing untrusted content
Patch Information
Reference the Patchstack WP SMS CSRF Vulnerability advisory for current patch availability and remediated versions. Apply vendor updates through the WordPress plugin management interface or via WP-CLI.
Workarounds
- Deploy a web application firewall rule that blocks WP SMS admin requests lacking a valid WordPress nonce parameter
- Restrict access to /wp-admin/ paths by source IP address using web server configuration or hosting provider controls
- Temporarily deactivate the WP SMS plugin if SMS functionality is not business-critical until a patched version is installed
- Enforce SameSite=Strict cookies for WordPress authentication where the site theme and integrations permit
# Example: update WP SMS via WP-CLI once a fixed version is released
wp plugin update wp-sms --version=<patched-version>
# Example: temporarily deactivate the plugin
wp plugin deactivate wp-sms
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
