CVE-2024-51655 Overview
CVE-2024-51655 is a Cross-Site Request Forgery (CSRF) vulnerability in the microkid Custom Author URL WordPress plugin (also known as author-slug). The flaw affects all plugin versions up to and including 2.0.1. An attacker can chain the CSRF condition to inject persistent JavaScript payloads, resulting in Stored Cross-Site Scripting (XSS). Successful exploitation requires tricking an authenticated administrator into visiting an attacker-controlled page. The vulnerability is tracked under CWE-352: Cross-Site Request Forgery.
Critical Impact
An attacker can forge requests on behalf of an authenticated administrator to inject persistent JavaScript into the WordPress site, enabling session theft, account takeover, and arbitrary actions in the victim's browser context.
Affected Products
- microkid Custom Author URL (author-slug) plugin for WordPress
- All versions from initial release through 2.0.1
- WordPress sites with the plugin installed and active
Discovery Timeline
- 2024-11-19 - CVE-2024-51655 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2024-51655
Vulnerability Analysis
The Custom Author URL plugin lets WordPress administrators define custom slugs for author archive URLs. The plugin's settings handler does not validate the origin of incoming state-changing requests. An attacker hosting a malicious page can submit a forged form or request that the victim's browser delivers to the plugin's settings endpoint with the victim's authenticated session cookies attached.
Because the affected endpoint also fails to sanitize or encode input written into the plugin's stored configuration, attacker-controlled JavaScript is persisted in the database. When any user later loads a page that renders the stored author-slug value, the payload executes in their browser. This pairs a request forgery weakness with a stored output-encoding failure to escalate impact.
Root Cause
The root cause is the absence of a valid CSRF token check (such as a WordPress nonce verified with check_admin_referer() or wp_verify_nonce()) on the plugin's settings update handler. A secondary defect is the lack of server-side output encoding or sanitization of the author-slug value before it is stored and later rendered, which converts a CSRF primitive into a Stored XSS condition.
Attack Vector
Exploitation is remote and user-interaction dependent. The attacker crafts an HTML page containing an auto-submitting form or fetch request targeting the plugin's vulnerable settings endpoint, with the malicious JavaScript payload supplied as the author slug. A logged-in WordPress administrator must visit that page or follow a link to it. The browser submits the forged request with valid session cookies, the plugin stores the payload, and subsequent page renders execute the script in the context of any visitor, including other administrators.
No verified public proof-of-concept code is available. See the Patchstack advisory for additional technical details.
Detection Methods for CVE-2024-51655
Indicators of Compromise
- Unexpected <script> tags, event handlers, or JavaScript URIs stored in the plugin's options row in the wp_options table.
- Author archive pages or admin screens rendering script content sourced from the author-slug configuration.
- Outbound HTTP requests from administrator browsers to unfamiliar domains immediately after visiting external links.
- WordPress access logs showing POST requests to the plugin's settings handler with a Referer header pointing to an untrusted external site.
Detection Strategies
- Audit the wp_options table for entries owned by the Custom Author URL plugin and inspect their values for HTML or JavaScript content.
- Inspect rendered HTML of author archive pages for unexpected inline scripts or attributes.
- Review web server logs for POST requests to plugin administrative endpoints lacking same-origin Referer headers.
- Enable WordPress activity logging to capture changes to plugin settings, including the user, timestamp, and source IP.
Monitoring Recommendations
- Deploy a Web Application Firewall (WAF) rule that blocks requests to WordPress admin endpoints when the Referer header is missing or external.
- Alert on Content Security Policy (CSP) violation reports indicating inline script execution on author pages.
- Monitor administrator session activity for plugin configuration changes performed shortly after browsing external sites.
How to Mitigate CVE-2024-51655
Immediate Actions Required
- Update the Custom Author URL plugin to a version later than 2.0.1 once the maintainer publishes a fix; otherwise deactivate and remove the plugin.
- Inspect and sanitize the stored author-slug value in the database to remove any injected HTML or JavaScript.
- Force a password reset and session invalidation for all administrator accounts that may have visited untrusted sites while logged in.
- Review recently created or modified WordPress users, plugins, and theme files for signs of post-exploitation activity.
Patch Information
At the time of publication, the Patchstack advisory lists all versions through 2.0.1 as affected. Administrators should monitor the plugin's repository page on WordPress.org for an updated release and apply it as soon as it becomes available.
Workarounds
- Deactivate and delete the Custom Author URL plugin until a patched version is released.
- Restrict access to /wp-admin/ by IP allowlist using web server or WAF rules to reduce CSRF exposure.
- Enforce a strict Content Security Policy that disallows inline scripts on public-facing pages.
- Require administrators to use a dedicated browser profile for WordPress administration and to log out when finished.
# Example: restrict wp-admin access by IP in nginx
location ^~ /wp-admin/ {
allow 203.0.113.0/24;
deny all;
try_files $uri $uri/ /index.php?$args;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
