Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-54398

CVE-2024-54398: Flaming Forms CSRF Vulnerability

CVE-2024-54398 is a Cross-Site Request Forgery vulnerability in Flaming Forms plugin that enables Stored XSS attacks. This article covers the technical details, affected versions up to 1.0.1, security impact, and mitigation.

Published:

CVE-2024-54398 Overview

CVE-2024-54398 is a Cross-Site Request Forgery (CSRF) vulnerability in the Flaming Forms WordPress plugin developed by jcaruso001. The flaw affects all versions up to and including 1.0.1. An attacker can leverage the CSRF condition to deliver a Stored Cross-Site Scripting (XSS) payload, which executes in the browser of any user who later views the affected content. The weakness maps to CWE-352: Cross-Site Request Forgery. Successful exploitation requires user interaction, such as an authenticated administrator clicking an attacker-controlled link.

Critical Impact

A successful attack chains CSRF with persistent XSS, enabling script execution in administrator sessions and potential takeover of the WordPress site.

Affected Products

  • Flaming Forms WordPress plugin (flaming-forms) versions up to and including 1.0.1
  • WordPress sites with the vulnerable plugin installed and activated
  • Administrator sessions interacting with attacker-supplied links while authenticated

Discovery Timeline

  • 2024-12-16 - CVE-2024-54398 published to NVD
  • 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2024-54398

Vulnerability Analysis

The vulnerability stems from missing or inadequate CSRF protection on state-changing requests in the Flaming Forms plugin. The plugin accepts form configuration changes without validating an anti-CSRF token, such as a WordPress nonce. An attacker crafts a malicious page or link that, when visited by an authenticated administrator, submits a forged request to the plugin. The forged request stores attacker-controlled markup or JavaScript into plugin data that the plugin later renders without sufficient output encoding. Each subsequent page load delivers the payload to viewers, producing a Stored XSS condition. The scope-changed impact reflects that scripts execute in the WordPress administrative origin, beyond the vulnerable component itself.

Root Cause

The root cause is the absence of a verified, request-bound CSRF token on form-management endpoints, combined with insufficient sanitization of stored form configuration fields. WordPress provides wp_nonce_field() and check_admin_referer() primitives that the plugin does not enforce on the affected actions.

Attack Vector

The attack is delivered over the network and requires user interaction (UI:R). An attacker hosts a page containing an auto-submitting form or a crafted link targeting the plugin's administrative endpoint. When an authenticated WordPress administrator visits the page, the browser sends authenticated cookies along with the forged request, persisting the XSS payload into plugin storage.

The vulnerability does not have a publicly verified proof-of-concept available.
No synthetic exploitation code is provided. See the Patchstack advisory for
technical details on the affected endpoint and parameters.

Detection Methods for CVE-2024-54398

Indicators of Compromise

  • Unexpected <script> tags, event handlers, or HTML entities stored within Flaming Forms configuration records in the WordPress database
  • WordPress administrator account activity originating from external referrers immediately before changes to plugin settings
  • Outbound requests from administrator browsers to unfamiliar domains after loading WordPress admin pages that render Flaming Forms output

Detection Strategies

  • Inspect the wp_options and plugin-specific tables for stored payloads containing <script, javascript:, or on*= attribute patterns
  • Review web server access logs for POST requests to Flaming Forms admin endpoints with Referer headers pointing to external origins
  • Correlate browser Content Security Policy (CSP) violation reports with WordPress admin URLs that render plugin-managed content

Monitoring Recommendations

  • Enable WordPress audit logging to capture plugin setting changes and the originating user, IP, and referrer
  • Alert on administrator logins followed by plugin configuration edits within short time windows
  • Monitor for new or modified plugin database entries containing HTML or script-like substrings

How to Mitigate CVE-2024-54398

Immediate Actions Required

  • Deactivate the Flaming Forms plugin until a patched release is confirmed available from the maintainer
  • Audit Flaming Forms stored configuration data for injected scripts and remove any malicious entries
  • Force a password reset for WordPress administrators who may have visited untrusted links while authenticated

Patch Information

No fixed version is identified in the available advisory data. The vulnerability affects Flaming Forms 1.0.1 and earlier. Consult the Patchstack Vulnerability Report for the latest remediation status from the maintainer.

Workarounds

  • Restrict WordPress administrator access to dedicated browsers or sessions that do not browse external content
  • Deploy a Web Application Firewall (WAF) rule that requires a valid WordPress nonce on requests to Flaming Forms admin endpoints
  • Apply a Content Security Policy that blocks inline scripts in the WordPress admin to limit Stored XSS execution
bash
# Example: temporarily disable the plugin via WP-CLI
wp plugin deactivate flaming-forms

# Example: search the database for suspicious stored payloads
wp db query "SELECT option_id, option_name FROM wp_options \
  WHERE option_value LIKE '%<script%' OR option_value LIKE '%onerror=%';"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne