CVE-2024-54416: WP Login with Ajax CSRF Vulnerability

CVE-2024-54416 Overview

CVE-2024-54416 is a Cross-Site Request Forgery (CSRF) vulnerability in the Navdeep wp-login-with-ajax WordPress plugin that leads to Stored Cross-Site Scripting (XSS). The flaw affects all plugin versions up to and including 0.6. An attacker who tricks an authenticated administrator into visiting a crafted page can submit forged requests on the victim's behalf, injecting persistent JavaScript into plugin-controlled settings. The stored payload then executes in the browsers of users who visit affected pages. The vulnerability is tracked under CWE-352: Cross-Site Request Forgery.

Critical Impact
Successful exploitation enables attackers to inject persistent JavaScript into a WordPress site through a forged administrator request, leading to session theft, account takeover, and further site compromise.

Affected Products

Navdeep WP Login with Ajax plugin (wp-login-with-ajax)
All versions from n/a through 0.6
WordPress installations with the affected plugin active

Discovery Timeline

2024-12-16 - CVE-2024-54416 published to NVD
2026-04-23 - Last updated in NVD database

Technical Details for CVE-2024-54416

Vulnerability Analysis

The wp-login-with-ajax plugin exposes one or more state-changing endpoints that do not validate the origin of incoming requests. The plugin accepts form submissions without verifying a WordPress nonce or equivalent anti-CSRF token. When an authenticated administrator browses a page controlled by an attacker, the browser automatically attaches the WordPress session cookies to the forged request, allowing the attacker to modify plugin settings.

Because the modified fields are rendered without proper output encoding, attacker-supplied HTML and JavaScript are persisted in the database and later returned in pages served to site users. The result is a stored XSS condition that survives the initial request and executes in every subsequent visitor's browser. The vulnerability requires user interaction, which is consistent with CSRF exploitation patterns.

Root Cause

The root cause is the absence of CSRF protection on plugin request handlers. WordPress provides wp_nonce_field() and check_admin_referer() for this purpose, but the affected handlers in wp-login-with-ajax versions up to 0.6 either omit these checks or fail to enforce them on the relevant submission paths. Insufficient output sanitization on the same fields compounds the issue, converting a CSRF primitive into stored XSS.

Attack Vector

The attack proceeds over the network and requires victim interaction. An attacker hosts a page containing an auto-submitting form or fetch request targeting the vulnerable plugin endpoint on a target WordPress site. When a logged-in administrator visits the attacker page, the browser issues the forged request with valid cookies. The plugin accepts the request and stores the attacker-controlled HTML or <script> payload. The payload subsequently runs in any browser that loads the affected administrative or front-end view.

For technical specifics, see the Patchstack Security Vulnerability Report.

Detection Methods for CVE-2024-54416

Indicators of Compromise

Unexpected <script> tags, event handlers (onerror, onload), or obfuscated JavaScript stored in wp_options rows associated with wp-login-with-ajax.
Outbound requests from administrator browsers to unfamiliar domains after viewing plugin-related pages.
New or modified WordPress administrator accounts created shortly after plugin setting changes.

Detection Strategies

Inspect plugin-controlled options and templates for HTML or JavaScript content that should contain only plain text.
Review WordPress access logs for POST requests to plugin endpoints lacking a Referer header pointing to wp-admin.
Correlate administrator session activity with off-site referrers preceding plugin configuration changes.

Monitoring Recommendations

Enable a Web Application Firewall (WAF) rule set that flags requests to WordPress plugin endpoints missing nonce parameters.
Monitor Content Security Policy (CSP) violation reports for unexpected inline script execution on WordPress pages.
Alert on file and database changes to plugin configuration tables outside of approved maintenance windows.

How to Mitigate CVE-2024-54416

Immediate Actions Required

Deactivate the wp-login-with-ajax plugin until a patched version is available and confirmed.
Audit plugin-controlled settings and templates, removing any injected scripts or HTML.
Rotate administrator credentials and invalidate active sessions if exploitation is suspected.
Review the Patchstack advisory for updates on a fixed release.

Patch Information

At the time of publication, no vendor patch was referenced in the NVD entry beyond the Patchstack advisory. Administrators should monitor the WordPress plugin repository and the Patchstack report for a version newer than 0.6 that addresses the CSRF and output encoding issues. Apply the update across all WordPress instances once released and verify the fix in a staging environment.

Workarounds

Restrict access to /wp-admin/ by source IP using web server or WAF rules to reduce CSRF exposure.
Require administrators to use a separate browser profile or session for WordPress administration to limit cross-site request abuse.
Deploy a WAF rule that blocks state-changing requests to the plugin without a valid WordPress nonce and same-origin Referer.
Enforce a strict Content Security Policy disallowing inline scripts on WordPress administrative pages.

bash

# Temporarily disable the vulnerable plugin via WP-CLI
wp plugin deactivate wp-login-with-ajax
wp plugin status wp-login-with-ajax