CVE-2024-54428 Overview
CVE-2024-54428 is a Cross-Site Request Forgery (CSRF) vulnerability in the Add image to Post WordPress plugin developed by onigetoc. The flaw chains into a Stored Cross-Site Scripting (XSS) condition, allowing attackers to persist malicious JavaScript inside affected WordPress sites. The vulnerability affects all plugin versions up to and including 0.6. Successful exploitation requires an authenticated user to interact with an attacker-controlled request, after which the injected payload executes in the browser of any visitor or administrator who later views the affected content.
Critical Impact
Attackers can forge requests that store arbitrary JavaScript in WordPress posts, enabling session theft, administrative action abuse, and visitor browser compromise.
Affected Products
- WordPress plugin Add image to Post (slug: add-image-to-post) by onigetoc
- All versions from initial release through 0.6
- WordPress installations with the vulnerable plugin activated
Discovery Timeline
- 2024-12-16 - CVE-2024-54428 published to the National Vulnerability Database
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2024-54428
Vulnerability Analysis
The vulnerability combines two weaknesses into a single exploitable chain. The plugin's state-changing endpoints lack a valid anti-CSRF token check, classified under [CWE-352]. As a result, an attacker can craft an HTML page or link that, when visited by an authenticated WordPress user, submits a forged request to the plugin on the victim's behalf.
Because the same request paths also fail to sanitize or escape user-supplied input before storing it, the forged request writes attacker-controlled markup into the database. When the affected content is later rendered, the stored payload executes as JavaScript in the victim's browser session. This produces a Stored XSS condition derived from the underlying CSRF flaw.
The scope change reflected in the CVSS vector indicates that an injected script can affect resources beyond the vulnerable plugin, including the broader WordPress administrative interface and any front-end visitor.
Root Cause
The root cause is the absence of WordPress nonce validation (wp_verify_nonce / check_admin_referer) on plugin actions that mutate stored data. Combined with missing output escaping and input sanitization on the resulting fields, attacker payloads survive the request and persist into rendered HTML.
Attack Vector
Exploitation is network-based and requires user interaction. An attacker hosts a malicious page containing a crafted form or fetch request targeting the vulnerable plugin endpoint. When an authenticated WordPress user, typically an administrator or editor, visits that page, the browser submits the forged request using the user's active session cookies. The plugin processes the request without verifying its origin and stores the attacker-supplied script payload. Subsequent page views trigger the stored XSS in the victim's browser. Refer to the Patchstack Vulnerability Report for additional technical context.
Detection Methods for CVE-2024-54428
Indicators of Compromise
- Unexpected <script>, onerror, or onload attributes stored in WordPress post content, post metadata, or plugin-managed image fields
- Outbound requests from administrator browsers to unfamiliar domains immediately after viewing posts managed by the add-image-to-post plugin
- New or modified posts where the change author does not match expected editorial workflows
Detection Strategies
- Audit the wp_posts and wp_postmeta tables for HTML event handlers, encoded JavaScript, or external script src references inserted into image-related fields
- Review web server access logs for POST requests to plugin endpoints lacking a referer header from the same WordPress origin
- Inspect installed plugin versions across managed WordPress sites and flag any instance of add-image-to-post at version 0.6 or earlier
Monitoring Recommendations
- Enable WordPress security logging to capture authenticated administrative actions and correlate them with browser referer data
- Monitor for anomalous session activity from privileged accounts, including actions executed seconds after the user loads an external page
- Alert on Content Security Policy (CSP) violations originating from WordPress admin or content pages
How to Mitigate CVE-2024-54428
Immediate Actions Required
- Deactivate and remove the Add image to Post plugin until a patched release supersedes version 0.6
- Audit all WordPress posts and metadata edited while the vulnerable plugin was active, and remove any embedded scripts or suspicious attributes
- Force password resets and invalidate active sessions for administrator and editor accounts that may have been exposed
Patch Information
At the time of NVD publication, no fixed version beyond 0.6 is referenced in the advisory. Operators should consult the Patchstack Vulnerability Report for current remediation status and upgrade to any vendor-released fixed version once available.
Workarounds
- Remove the plugin entirely and replace its functionality with an actively maintained alternative
- Restrict access to WordPress administrative pages by IP allowlist to reduce CSRF exposure for privileged sessions
- Deploy a Content Security Policy that disallows inline scripts and limits permitted script origins to mitigate execution of stored payloads
- Place the WordPress site behind a Web Application Firewall (WAF) with rules that block requests missing valid same-origin referers to plugin endpoints
# Configuration example: disable the vulnerable plugin via WP-CLI
wp plugin deactivate add-image-to-post
wp plugin delete add-image-to-post
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
