CVE-2024-30482 Overview
CVE-2024-30482 is a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] affecting the Simple Revisions Delete plugin for WordPress, developed by Brice CAPOBIANCO. The flaw affects all plugin versions up to and including 1.5.3. An attacker who tricks an authenticated WordPress user into clicking a crafted link or visiting a malicious page can force the victim's browser to submit unauthorized state-changing requests to the plugin. The vulnerability carries network attack reach, requires user interaction, and can compromise confidentiality, integrity, and availability of the affected WordPress site.
Critical Impact
Successful exploitation allows attackers to perform privileged actions in the context of an authenticated administrator, including deletion of post revisions and potential abuse of plugin functionality without the victim's consent.
Affected Products
- Simple Revisions Delete plugin for WordPress (vendor: b-website)
- All versions from n/a through 1.5.3
- WordPress installations using the affected plugin with administrator sessions
Discovery Timeline
- 2024-03-29 - CVE-2024-30482 published to the National Vulnerability Database (NVD)
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2024-30482
Vulnerability Analysis
The vulnerability stems from missing or improperly validated anti-CSRF tokens on state-changing endpoints exposed by the Simple Revisions Delete plugin. WordPress provides a nonce mechanism (wp_nonce_field, check_admin_referer, wp_verify_nonce) intended to prevent forged requests. When a plugin omits these checks or accepts requests without verifying origin and token, an attacker can craft an external page that submits requests to the target site using the victim's authenticated session cookies.
The attack is network-reachable and requires user interaction, typically by luring an authenticated administrator to a malicious URL. Because the request inherits the victim's privileges, the server processes the action as legitimate.
Root Cause
The root cause is the absence of sufficient request origin validation on administrative actions exposed by the plugin through versions up to 1.5.3. Without a verified nonce tied to the user's session, the plugin cannot distinguish between intentional user submissions and requests forged by an external attacker-controlled page.
Attack Vector
An attacker hosts a page containing a hidden form or image tag that auto-submits to the vulnerable plugin endpoint. When an authenticated WordPress administrator visits the page, the browser automatically attaches session cookies. The plugin processes the action as if the administrator intended it. Refer to the Patchstack CSRF Vulnerability Report for the technical advisory.
Detection Methods for CVE-2024-30482
Indicators of Compromise
- Unexpected deletion of post revisions or bulk revision-cleanup actions recorded in WordPress activity logs
- HTTP POST or GET requests to plugin endpoints with Referer headers pointing to external, untrusted domains
- Administrator account actions originating outside normal working hours or geographic patterns
Detection Strategies
- Inspect web server access logs for requests to Simple Revisions Delete plugin endpoints lacking valid _wpnonce parameters
- Correlate authenticated session activity with cross-origin Referer headers to identify forged requests
- Monitor WordPress audit plugins for unauthorized revision deletion events tied to administrator sessions
Monitoring Recommendations
- Enable a WordPress activity logging plugin to capture revision-deletion and plugin-action events
- Forward web server and WordPress logs to a centralized SIEM for cross-origin request analysis
- Alert on administrator-initiated bulk actions that occur immediately after navigation from external referers
How to Mitigate CVE-2024-30482
Immediate Actions Required
- Update the Simple Revisions Delete plugin to a version newer than 1.5.3 once the vendor publishes a fixed release
- Audit administrator accounts and recent revision-related activity for unauthorized changes
- Require administrators to log out of WordPress sessions when not actively managing the site
Patch Information
At the time of publication, the advisory lists affected versions through 1.5.3 with no fixed version specified in the referenced Patchstack report. Site operators should monitor the WordPress plugin repository for an updated release that introduces nonce verification on all state-changing endpoints.
Workarounds
- Deactivate and remove the Simple Revisions Delete plugin until a patched version is available
- Restrict WordPress administration access using IP allowlisting at the web server or WAF layer
- Deploy a web application firewall rule to block cross-origin requests targeting WordPress admin endpoints without valid nonce parameters
- Train administrators to log out of WordPress before browsing untrusted sites and to use a separate browser profile for site administration
# Example: temporarily deactivate the plugin via WP-CLI
wp plugin deactivate simple-revisions-delete
wp plugin delete simple-revisions-delete
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
