CVE-2024-53723: Google Plus Share Plugin CSRF Vulnerability

CVE-2024-53723 Overview

CVE-2024-53723 is a Cross-Site Request Forgery (CSRF) vulnerability in the Google Plus Share and +1 Button WordPress plugin by acbaltaci. The flaw chains into Stored Cross-Site Scripting (XSS), allowing attackers to persist malicious scripts in plugin settings. The vulnerability affects all plugin versions up to and including 1.0. Exploitation requires an authenticated administrator to visit an attacker-controlled page. Successful attacks inject JavaScript that executes in the browsers of site visitors and administrators.

Critical Impact
An attacker who tricks a logged-in administrator into loading a malicious page can persistently inject JavaScript into the WordPress site, enabling session theft, account takeover, and visitor compromise.

Affected Products

acbaltaci Google Plus Share and +1 Button plugin for WordPress
All versions from n/a through 1.0
WordPress sites with the google-plus-share-and-plusone-button plugin activated

Discovery Timeline

2024-12-02 - CVE-2024-53723 published to NVD
2026-04-23 - Last updated in NVD database

Technical Details for CVE-2024-53723

Vulnerability Analysis

The vulnerability combines two weaknesses into a single exploitation chain. The plugin's settings handler does not validate request origin, accepting state-changing POST requests without a CSRF token (CWE-352). The same handler stores submitted values without sanitizing or encoding script content before rendering them back in the admin interface or front-end output.

An attacker hosts a page containing a forged form that targets the plugin's settings endpoint. When an authenticated administrator visits that page, the browser silently submits the request using the admin's session cookies. The injected payload is written to the WordPress options table and later rendered without escaping, producing Stored XSS.

Because script execution occurs in the administrator's authenticated context, the attacker can create new admin accounts, modify plugin or theme files, and pivot to remote code execution through WordPress's built-in editors.

Root Cause

The root cause is missing CSRF protection on plugin configuration endpoints. The plugin does not call WordPress functions such as wp_nonce_field() and check_admin_referer() to bind requests to a verified user session. Combined with absent output encoding, attacker-controlled input flows directly from request parameters into rendered HTML.

Attack Vector

The attack vector is network-based and requires user interaction. An attacker delivers a phishing link, malicious advertisement, or compromised site containing a hidden form that auto-submits to the target WordPress instance. The administrator's browser supplies authentication cookies, and the malicious payload is persisted. Subsequent page loads execute the stored JavaScript for any user rendering the affected output.

No public proof-of-concept exploit is listed for CVE-2024-53723. Technical details are available in the Patchstack WordPress Vulnerability Advisory.

Detection Methods for CVE-2024-53723

Indicators of Compromise

Unexpected <script> tags, event handlers, or external script references stored in WordPress wp_options rows belonging to the google-plus-share-and-plusone-button plugin
New WordPress administrator accounts created without a corresponding audit log entry from a known admin session
Outbound requests from visitor browsers to unfamiliar domains originating from pages that embed the plugin's share button

Detection Strategies

Audit plugin settings in the database for HTML or JavaScript content where only plain text values are expected
Review web server access logs for POST requests to plugin admin endpoints lacking an internal Referer header pointing to /wp-admin/
Scan rendered HTML output for inline scripts in regions controlled by plugin options

Monitoring Recommendations

Enable WordPress audit logging to capture changes to plugin options, user roles, and administrator account creation
Deploy a Web Application Firewall rule that blocks requests to plugin settings endpoints when Origin or Referer headers are absent or external
Alert on administrator sessions that perform configuration changes immediately after navigating from external referrers

How to Mitigate CVE-2024-53723

Immediate Actions Required

Deactivate and remove the Google Plus Share and +1 Button plugin until a patched release is published
Rotate WordPress administrator passwords and invalidate active sessions if the plugin was active on an internet-facing site
Inspect plugin option values in the database and remove any unexpected HTML or JavaScript content

Patch Information

No fixed version is identified in the available advisory. The vulnerability affects all versions up to and including 1.0, and the plugin appears to have no patched release. Replace the plugin with an actively maintained sharing solution. Monitor the Patchstack advisory for updates.

Workarounds

Restrict access to /wp-admin/ by IP allowlist to reduce CSRF exposure for administrator accounts
Enforce a strict Content Security Policy that disallows inline script execution on WordPress front-end pages
Require administrators to use a dedicated browser profile for WordPress management to limit cross-site cookie exposure

bash

# Configuration example: deactivate the affected plugin via WP-CLI
wp plugin deactivate google-plus-share-and-plusone-button
wp plugin delete google-plus-share-and-plusone-button