CVE-2024-54401: Advanced Fancybox CSRF Vulnerability

CVE-2024-54401 Overview

CVE-2024-54401 is a Cross-Site Request Forgery (CSRF) vulnerability in the Advanced Fancybox WordPress plugin by Ciprian Turcu. The flaw affects all versions up to and including 1.1.1. An attacker can chain the CSRF weakness with Stored Cross-Site Scripting (XSS), allowing attacker-controlled JavaScript to persist within the WordPress site.

Exploitation requires an authenticated administrator to visit an attacker-crafted page. Once triggered, the request silently writes malicious script payloads into plugin settings that later execute in the browser of any visitor or admin loading the affected pages.

Critical Impact

Successful exploitation enables persistent JavaScript execution in the context of the WordPress site, leading to session theft, administrative account takeover, and arbitrary content modification.

Affected Products

• Ciprian Turcu Advanced Fancybox WordPress plugin
• All versions from initial release through 1.1.1
• WordPress sites with the advanced-fancybox plugin installed and active

Discovery Timeline

• 2024-12-16 - CVE-2024-54401 published to NVD
• 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2024-54401

Vulnerability Analysis

The Advanced Fancybox plugin exposes administrative configuration endpoints that change plugin settings without validating the origin of the request. The endpoints do not verify a WordPress nonce or other anti-CSRF token. This omission maps directly to [CWE-352] Cross-Site Request Forgery.

Because settings fields are also rendered without proper output encoding, an attacker can inject JavaScript through the same CSRF request. The injected payload is stored in the database and executed whenever an affected page or admin screen is loaded. The result is a CSRF-to-Stored-XSS chain that pivots a single click into persistent script execution.

Root Cause

The root cause is missing CSRF protection on plugin setting update handlers combined with insufficient sanitization of attacker-supplied input. WordPress plugins are expected to call check_admin_referer() or wp_verify_nonce() on state-changing requests and to sanitize text fields with functions such as sanitize_text_field() or wp_kses(). Advanced Fancybox versions through 1.1.1 fail to perform these checks before persisting configuration values.

Attack Vector

The attack vector is network-based and requires user interaction from a privileged WordPress user. An attacker hosts a malicious page containing a hidden form or JavaScript that issues a POST request to the vulnerable plugin endpoint on the target WordPress site. When a logged-in administrator visits the attacker page, the browser submits the forged request with valid session cookies. The plugin accepts the request and stores the injected script. Any subsequent visitor or administrator triggering the affected output executes the payload in their browser session.

Refer to the Patchstack WordPress Vulnerability advisory for additional technical context.

Detection Methods for CVE-2024-54401

Indicators of Compromise

• Unexpected <script> tags, event handlers, or obfuscated JavaScript stored in Advanced Fancybox plugin options within the wp_options table.
• WordPress administrator sessions performing settings updates from unfamiliar Referer headers or external origins.
• New or modified administrator accounts created shortly after an admin visited an external link.

Detection Strategies

• Audit the wp_options table for entries related to advanced-fancybox and search for HTML or JavaScript content in fields expected to contain plain text.
• Review web server access logs for POST requests to wp-admin/admin.php or options.php referencing the Advanced Fancybox plugin without a corresponding nonce parameter.
• Enable WordPress audit logging to record administrator setting changes and correlate them with browsing activity.

Monitoring Recommendations

• Monitor WordPress administrator endpoints for cross-origin POST submissions and unusual Referer values.
• Alert on Content Security Policy (CSP) report violations indicating inline script execution on pages rendering Fancybox content.
• Track plugin file integrity and configuration drift on production WordPress instances.

How to Mitigate CVE-2024-54401

Immediate Actions Required

• Identify all WordPress sites running the Advanced Fancybox plugin and confirm the installed version.
• Deactivate and remove the advanced-fancybox plugin until a patched release is verified, as no fixed version is identified in the advisory.
• Rotate WordPress administrator credentials and invalidate active sessions if compromise is suspected.
• Inspect plugin settings and remove any unauthorized HTML or JavaScript content.

Patch Information

The Patchstack advisory lists the vulnerability as affecting versions up to and including 1.1.1 with no fixed version published at the time of disclosure. Administrators should monitor the Patchstack WordPress Vulnerability advisory and the plugin repository for an updated release that introduces nonce validation and input sanitization.

Workarounds

• Restrict access to /wp-admin/ using IP allowlists or VPN-only access to reduce CSRF exposure.
• Deploy a Web Application Firewall (WAF) rule blocking POST requests to Advanced Fancybox settings endpoints without a valid WordPress nonce.
• Enforce a strict Content Security Policy that disallows inline scripts on pages rendering Fancybox content.
• Require administrators to use isolated browser profiles for WordPress management to limit session reuse from attacker-controlled sites.

# Configuration example: remove the vulnerable plugin via WP-CLI
wp plugin deactivate advanced-fancybox
wp plugin delete advanced-fancybox

# Optional: block requests to plugin settings without a nonce at the WAF
# Example ModSecurity rule (pseudo)
# SecRule REQUEST_URI "@contains options.php" \
#   "chain,deny,status:403,id:1005401"
# SecRule ARGS:option_page "@streq advanced_fancybox_options" \
#   "chain"
# SecRule &ARGS:_wpnonce "@eq 0"