CVE-2024-53725: Post Hits Counter CSRF Vulnerability

CVE-2024-53725 Overview

CVE-2024-53725 is a Cross-Site Request Forgery (CSRF) vulnerability in the aMiT Post Hits Counter WordPress plugin (hits-counter) that chains into a Reflected Cross-Site Scripting (XSS) condition. The flaw affects all versions of the plugin up to and including 2.8.23. An attacker can craft a malicious link or page that, when visited by an authenticated administrator, forges a request to the vulnerable endpoint and reflects attacker-controlled script into the response. The weakness is categorized under CWE-352 (Cross-Site Request Forgery) and requires user interaction to succeed.

Critical Impact
A successful attack executes arbitrary JavaScript in the victim administrator's browser session, enabling session theft, account takeover, or persistent backdoor injection into the WordPress site.

Affected Products

aMiT Post Hits Counter (hits-counter) WordPress plugin versions up to and including 2.8.23
WordPress installations that have the affected plugin enabled
Any administrator session interacting with the vulnerable plugin endpoints

Discovery Timeline

2024-12-02 - CVE-2024-53725 published to the National Vulnerability Database
2026-04-23 - Last updated in NVD database

Technical Details for CVE-2024-53725

Vulnerability Analysis

The Post Hits Counter plugin exposes administrative actions that do not validate request authenticity. The plugin omits the nonce verification step that WordPress provides through wp_verify_nonce() and check_admin_referer(). Without this check, the server accepts state-changing requests originating from cross-origin contexts.

The second half of the chain is a Reflected XSS sink. The plugin echoes a request parameter back into the HTML response without proper output encoding or sanitization. When combined with the missing CSRF protection, an attacker can deliver the XSS payload through a forged request rather than requiring the victim to manually submit it.

The vulnerability requires user interaction. An attacker must convince an authenticated administrator to click a crafted link or visit a malicious page. The attack can pivot from the WordPress trust boundary into the administrator's browser context, which is reflected by the changed scope in the CVSS vector.

Root Cause

The root cause is the absence of anti-CSRF tokens on plugin endpoints combined with unsanitized reflection of user-supplied input. The plugin does not enforce nonce verification before processing requests, and it concatenates request data into HTML output without applying esc_html(), esc_attr(), or equivalent escaping routines.

Attack Vector

The attack is delivered over the network and requires no privileges on the target site. The attacker hosts a page containing a hidden form or image tag that targets the vulnerable plugin endpoint with an XSS payload in a reflected parameter. When an authenticated WordPress administrator visits the attacker-controlled page, the browser issues the forged request using the administrator's session cookies. The server processes the request and reflects the script payload, which executes in the administrator's browser under the WordPress origin.

No verified proof-of-concept exploit code is published. See the Patchstack Vulnerability Report for technical details.

Detection Methods for CVE-2024-53725

Indicators of Compromise

Web server access logs showing requests to hits-counter plugin endpoints with Referer headers from external domains
Reflected request parameters containing <script>, javascript:, onerror=, or other HTML event handler strings
Unexpected administrative actions performed shortly after an admin clicked an external link
New or modified WordPress administrator accounts that correlate with suspicious request patterns

Detection Strategies

Inspect HTTP request logs for cross-origin POST or GET requests targeting plugin URLs without a valid _wpnonce parameter
Deploy a web application firewall rule that blocks query strings containing HTML tags or JavaScript event handlers directed at plugin paths
Correlate browser console errors and Content Security Policy violation reports with administrator sessions

Monitoring Recommendations

Enable WordPress audit logging to capture administrative action provenance, including source IP and referrer
Monitor file integrity for changes to theme files, wp-options, and user tables that may indicate post-exploitation persistence
Alert on outbound requests from administrator browsers to unfamiliar domains during plugin interactions

How to Mitigate CVE-2024-53725

Immediate Actions Required

Disable or remove the Post Hits Counter (hits-counter) plugin until a patched release is confirmed installed
Force-logout all WordPress administrator sessions and rotate administrator passwords
Audit recent administrative activity, user creations, and plugin or theme modifications for signs of exploitation
Restrict access to /wp-admin/ by IP allowlist where operationally feasible

Patch Information

At the time of publication, the vendor advisory listed on Patchstack indicates the vulnerability affects all versions up to and including 2.8.23. Site operators should consult the Patchstack Vulnerability Report and the WordPress plugin repository for the latest fixed release before re-enabling the plugin.

Workarounds

Replace the plugin with a maintained alternative that implements WordPress nonce verification
Deploy a web application firewall rule blocking script payloads in query parameters targeting hits-counter endpoints
Apply a strict Content Security Policy to /wp-admin/ that disallows inline script execution
Train administrators to avoid clicking external links while authenticated to the WordPress dashboard

bash

# Example WAF rule (ModSecurity) blocking reflected XSS payloads to the plugin path
SecRule REQUEST_URI "@contains /wp-content/plugins/hits-counter/" \
    "chain,id:1005372,phase:2,deny,log,status:403,msg:'CVE-2024-53725 XSS attempt'"
SecRule ARGS "@rx (?i)(<script|javascript:|onerror=|onload=)" "t:none,t:urlDecodeUni"