CVE-2024-12589 is a stored DOM-based Cross-Site Scripting vulnerability identified in the Finale Lite – Sales Countdown Timer & Discount for WooCommerce plugin for WordPress. The vulnerability exists in all versions up to and including 2.19.0 due to insufficient sanitization of user input and inadequate output escaping in the countdown timer feature. Authenticated users with Contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages that utilize the countdown timer. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4, reflecting a network attack vector, low attack complexity, required privileges at the contributor level, no user interaction needed, and a scope change due to the potential impact on other users. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to websites using this plugin, especially those with multiple contributors. The lack of official patches at the time of reporting necessitates immediate mitigation efforts by administrators. This vulnerability highlights the risks associated with plugins that allow user-generated content without rigorous input validation and output encoding, particularly in e-commerce environments where trust and data integrity are critical.

The primary impact of this vulnerability is the potential for attackers with contributor-level access to inject malicious scripts that execute in the browsers of other users, including administrators and customers. This can lead to session hijacking, theft of sensitive information such as authentication tokens, unauthorized actions performed on behalf of users, and possible defacement or manipulation of website content. For e-commerce sites using WooCommerce, this could undermine customer trust, lead to financial fraud, or disrupt business operations. The scope of impact extends beyond the initial attacker due to the stored nature of the XSS, affecting any user who views the compromised page. Although the vulnerability does not directly affect system availability, the integrity and confidentiality of user data and site content are at risk. Organizations relying on this plugin may face reputational damage, regulatory compliance issues, and increased operational costs if exploited. The medium CVSS score reflects these risks balanced against the requirement for authenticated access and the absence of user interaction for exploitation.

1. Immediately restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious input injection. 2. Monitor and audit all user-generated content related to the countdown timer feature for suspicious scripts or anomalies. 3. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting the affected plugin. 4. Until an official patch is released, consider disabling or removing the Finale Lite – Sales Countdown Timer & Discount plugin if feasible. 5. Educate site administrators and contributors about the risks of injecting untrusted content and enforce strict content policies. 6. Apply output encoding and input validation at the application level if custom development resources are available to patch the vulnerability temporarily. 7. Regularly back up website data and configurations to enable quick recovery in case of compromise. 8. Stay updated with vendor announcements and apply official patches immediately upon release. 9. Use security plugins that can detect and alert on suspicious script injections or changes in site content. 10. Conduct periodic security assessments focusing on user input handling and plugin vulnerabilities.