CVE-2024-54238 Overview
CVE-2024-54238 is a reflected cross-site scripting (XSS) vulnerability in the Cleveland Heights-University Heights Public Library Board Document Manager from CHUHPL WordPress plugin. The flaw affects all plugin versions up to and including 1.9.1. Attackers can inject malicious scripts into a crafted request that executes in the browser of any victim who follows the link. The vulnerability is tracked under CWE-79 for improper neutralization of input during web page generation.
Critical Impact
Successful exploitation allows attackers to execute arbitrary JavaScript in a victim's browser session, enabling session hijacking, credential theft, and unauthorized actions within the WordPress site context.
Affected Products
- WordPress plugin: Board Document Manager from CHUHPL
- Affected versions: from n/a through <= 1.9.1
- Vendor: Cleveland Heights-University Heights Public Library Webdeveloper
Discovery Timeline
- 2024-12-13 - CVE-2024-54238 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2024-54238
Vulnerability Analysis
The vulnerability is a reflected XSS issue in the board-document-manager-from-chuhpl WordPress plugin. User-controlled input is echoed back into the HTTP response without proper sanitization or output encoding. An attacker crafts a URL containing malicious JavaScript and tricks an authenticated user into visiting it. The injected payload executes in the victim's browser under the origin of the vulnerable WordPress site.
The scope-change indicator in the CVSS vector reflects that script execution can affect resources beyond the vulnerable component, including authenticated administrative sessions. The current EPSS probability of 0.295% places this issue in the 53rd percentile for likelihood of exploitation.
Root Cause
The root cause is improper neutralization of user-supplied input before reflection into the generated HTML response [CWE-79]. The plugin fails to apply WordPress sanitization functions such as esc_html(), esc_attr(), or wp_kses() to request parameters before rendering them in the page output.
Attack Vector
Exploitation requires user interaction. An attacker delivers a crafted link through phishing, social media, or a malicious page. When a logged-in WordPress user with active session cookies clicks the link, the injected script executes in their browser. The attacker can then steal session tokens, perform actions as the victim, or pivot to administrative functions if the victim is privileged.
No verified proof-of-concept code is publicly available. See the Patchstack XSS Vulnerability Report for advisory details.
Detection Methods for CVE-2024-54238
Indicators of Compromise
- Inbound HTTP requests to the plugin's endpoints containing URL-encoded <script> tags, javascript: URIs, or HTML event handlers such as onerror= and onload=.
- Web server access logs showing suspicious query parameters reflected in subsequent response bodies.
- Unexpected outbound requests from administrator browser sessions to attacker-controlled domains shortly after clicking external links.
Detection Strategies
- Inspect HTTP request and response pairs for reflected user input that contains script-like content matching common XSS payload patterns.
- Deploy a web application firewall (WAF) rule set that flags suspicious characters and encoded payloads targeting plugin URLs containing board-document-manager-from-chuhpl.
- Correlate WordPress administrator login activity with unusual session token use from new IP addresses or user agents.
Monitoring Recommendations
- Enable verbose access logging on the WordPress reverse proxy or web server and forward logs to a centralized analytics platform.
- Monitor browser content security policy (CSP) violation reports for blocked inline script execution attempts.
- Track plugin version inventory across managed WordPress instances to identify hosts running 1.9.1 or earlier.
How to Mitigate CVE-2024-54238
Immediate Actions Required
- Identify all WordPress installations with the board-document-manager-from-chuhpl plugin installed and confirm the installed version.
- Deactivate the plugin if it is not in active use until a patched release is verified.
- Apply WAF rules to block reflected XSS payload patterns targeting plugin request parameters.
- Restrict WordPress administrator accounts to dedicated browsers and enforce multi-factor authentication.
Patch Information
Review the Patchstack advisory for the latest vendor remediation status. Upgrade to any version released after 1.9.1 once published by the plugin maintainer.
Workarounds
- Remove or disable the plugin until a fixed version becomes available.
- Implement a strict Content Security Policy that disallows inline scripts and untrusted script sources.
- Train administrators to avoid clicking links from untrusted sources while authenticated to the WordPress admin console.
# Configuration example: enforce a baseline CSP via web server header
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'self';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
