CVE-2024-21752
📋 TL;DR
This CSRF vulnerability in Ajax Search Lite WordPress plugin allows attackers to trick authenticated users into executing malicious actions, which can lead to reflected XSS attacks. The vulnerability affects all versions up to 4.11.4. WordPress administrators and users with plugin access are at risk.
💻 Affected Systems
- WordPress Ajax Search Lite plugin
📦 What is this software?
Ajax Search by Wp Dreams
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, inject malicious scripts into WordPress sites, deface websites, or redirect users to malicious sites through successful CSRF+XSS chaining.
Likely Case
Attackers create malicious links that, when clicked by authenticated users, execute reflected XSS payloads in the victim's browser, potentially stealing session cookies or performing unauthorized actions.
If Mitigated
With proper CSRF tokens and input validation, the attack would fail as requests would be rejected without valid tokens and malicious inputs would be sanitized.
🎯 Exploit Status
Exploitation requires tricking authenticated users into clicking malicious links. The CSRF vulnerability enables reflected XSS, making exploitation straightforward once the user is authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.11.5 and later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Ajax Search Lite' and click 'Update Now'. 4. Verify update to version 4.11.5 or later.
🔧 Temporary Workarounds
Disable Ajax Search Lite plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate ajax-search-lite
Implement CSRF protection middleware
allAdd custom CSRF token validation for WordPress admin actions
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block CSRF attempts and XSS payloads
- Restrict plugin access to trusted users only and monitor for suspicious admin activities
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Ajax Search Lite version. If version is 4.11.4 or lower, system is vulnerable.Check Version:
wp plugin get ajax-search-lite --field=versionVerify Fix Applied:
After update, verify Ajax Search Lite version shows 4.11.5 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to Ajax Search Lite endpoints without referrer headers
- Multiple failed CSRF token validations in WordPress logs
- Suspicious user-agent strings containing script tags
Network Indicators:
- HTTP requests containing malicious script payloads in parameters
- Requests to admin-ajax.php with unusual parameter patterns
SIEM Query:
source="wordpress.log" AND ("ajax-search-lite" OR "admin-ajax.php") AND ("<script>" OR "javascript:" OR "onerror=")🔗 References
- https://patchstack.com/database/vulnerability/ajax-search-lite/wordpress-ajax-search-lite-plugin-4-11-4-reflected-xss-via-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/ajax-search-lite/wordpress-ajax-search-lite-plugin-4-11-4-reflected-xss-via-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
