CVE-2024-51624
Published: 28 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-51624 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the Já-Já Pagamentos for WooCommerce WordPress plugin, identified as wc-ja-ja-pagamentos-multicaixa-express, in all versions up to and including 1.3.0.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no privileges required, and user interaction needed for exploitation, with a changed scope. Remote attackers can craft malicious payloads delivered via reflected input, such as URLs or form parameters, tricking site visitors or administrators into interacting with them, like clicking links. This leads to arbitrary JavaScript execution in the victim's browser context, enabling low-level impacts on confidentiality, integrity, and availability, such as session hijacking or data exfiltration.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wc-ja-ja-pagamentos-multicaixa-express/vulnerability/wordpress-ja-ja-pagamentos-for-woocommerce-plugin-1-3-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the issue in this WordPress plugin and provides details relevant to mitigation strategies.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS vulnerability in public-facing WordPress plugin directly enables exploitation of a public-facing application for initial access via crafted malicious inputs.