CVE-2024-53719: Zajax Ajax Navigation CSRF Vulnerability

CVE-2024-53719 Overview

CVE-2024-53719 is a Cross-Site Request Forgery (CSRF) vulnerability in the onigetoc Zajax – Ajax Navigation WordPress plugin (zajax-ajax-navigation). The flaw affects all plugin versions up to and including 0.4. An attacker can leverage the CSRF weakness to inject persistent JavaScript into the affected WordPress site, resulting in Stored Cross-Site Scripting (XSS). Exploitation requires an authenticated administrator to interact with attacker-controlled content, such as visiting a malicious page while logged in. The injected payload then executes in the browser of any user viewing the affected content. The underlying weakness is classified as [CWE-352] Cross-Site Request Forgery.

Critical Impact
A successful attack chains CSRF with Stored XSS, allowing attackers to execute arbitrary JavaScript in administrator browsers and persistently compromise the affected WordPress site.

Affected Products

onigetoc Zajax – Ajax Navigation plugin for WordPress
All versions from n/a through 0.4
WordPress sites with zajax-ajax-navigation installed and active

Discovery Timeline

2024-12-02 - CVE-2024-53719 published to NVD
2026-04-23 - Last updated in NVD database

Technical Details for CVE-2024-53719

Vulnerability Analysis

The Zajax – Ajax Navigation plugin exposes state-changing functionality without adequate request origin verification. The plugin handlers do not validate WordPress nonces or other anti-CSRF tokens before processing administrative actions. An attacker hosts a crafted page that issues a forged request to the vulnerable endpoint. When an authenticated administrator visits that page, the browser automatically attaches session cookies, and the request is accepted as legitimate. The forged request stores attacker-controlled input that is later rendered without proper output encoding, producing Stored XSS. The resulting payload executes in any visitor's session context, including other administrators.

Root Cause

The root cause is missing CSRF protection [CWE-352] on plugin actions that persist user-supplied content. The handler does not call check_admin_referer() or wp_verify_nonce() before writing data. Combined with insufficient sanitization of stored input, the issue escalates from a request-forgery flaw into a persistent script-injection vector.

Attack Vector

Exploitation is network-based and requires user interaction. The attacker delivers a malicious link or embeds a hidden form in third-party content. An authenticated WordPress administrator must visit the attacker-controlled resource while their session is active. No prior authentication or credentials are needed by the attacker. The scope is changed because injected scripts execute in the context of other users browsing the affected site.

No verified public proof-of-concept code is available. See the Patchstack Vulnerability Report for additional technical context.

Detection Methods for CVE-2024-53719

Indicators of Compromise

Unexpected <script> tags, event handlers, or obfuscated JavaScript embedded in plugin-managed settings or post content.
WordPress administrator sessions originating from unusual referrers immediately before configuration changes.
New or modified admin users, plugin installations, or theme edits following suspicious administrator browsing activity.

Detection Strategies

Audit the WordPress wp_options table and plugin-specific storage for HTML or JavaScript content where plain text is expected.
Inspect web server access logs for POST requests to zajax-ajax-navigation endpoints lacking a same-origin Referer header.
Deploy a web application firewall rule that flags state-changing requests to the plugin without a valid WordPress nonce parameter.

Monitoring Recommendations

Enable WordPress audit logging to record settings changes attributed to administrator accounts.
Monitor outbound browser requests from admin sessions for anomalous third-party domains preceding configuration writes.
Alert on changes to plugin configuration after an administrator visits an external URL within the same browsing session.

How to Mitigate CVE-2024-53719

Immediate Actions Required

Deactivate and remove the zajax-ajax-navigation plugin until a patched version is published.
Force-logout all WordPress administrator sessions and rotate administrator credentials.
Review all plugin-managed content and remove any stored HTML or JavaScript payloads.

Patch Information

At the time of NVD publication, no fixed version is listed by the vendor. The vulnerability affects all releases through version 0.4. Refer to the Patchstack Vulnerability Report for vendor response status and any subsequent patch availability.

Workarounds

Uninstall the plugin and replace it with an actively maintained alternative that implements WordPress nonce validation.
Restrict WordPress administrator access to dedicated browsing sessions that do not visit untrusted sites.
Enforce a strict Content Security Policy (CSP) on the WordPress site to limit execution of inline scripts.
Require administrators to use browser isolation or separate user profiles when managing the site.

bash

# Configuration example: disable the vulnerable plugin via WP-CLI
wp plugin deactivate zajax-ajax-navigation
wp plugin delete zajax-ajax-navigation