CVE-2024-51589 identifies a DOM-based Cross-site Scripting (XSS) vulnerability in the wpcirqle Bigmart Elements plugin, specifically versions up to and including 1.0.3. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows malicious scripts to be injected into the Document Object Model (DOM) of affected web pages. Unlike reflected or stored XSS, DOM-based XSS occurs entirely on the client side, where the malicious payload is executed as part of the page’s DOM processing, often triggered by crafted URLs or manipulated input parameters. This flaw enables attackers to execute arbitrary JavaScript in the context of the victim’s browser session, potentially leading to session hijacking, credential theft, unauthorized actions, or redirection to malicious sites. The affected product, Bigmart Elements, is a WordPress plugin used to enhance e-commerce functionality, making it a target for attackers seeking to compromise online stores or user data. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability does not require authentication, increasing its risk profile, but does require user interaction, such as clicking on a malicious link. The absence of a CVSS score necessitates severity assessment based on impact and exploitability factors.

The impact of CVE-2024-51589 is significant for organizations using the Bigmart Elements plugin in their WordPress e-commerce sites. Successful exploitation can compromise user confidentiality by stealing cookies, session tokens, or other sensitive data accessible via JavaScript. Integrity may be affected if attackers perform unauthorized actions on behalf of users, such as changing account details or making fraudulent transactions. Availability impact is generally low but could be indirectly affected if attackers use the vulnerability to inject disruptive scripts. The ease of exploitation without authentication and the widespread use of WordPress for e-commerce increase the potential attack surface globally. Organizations could face reputational damage, financial loss, and regulatory penalties if customer data is compromised. Additionally, attackers could use the vulnerability as a foothold for further attacks within the network or to distribute malware to site visitors.

1. Monitor for official patches or updates from the wpcirqle vendor and apply them promptly once released. 2. Until a patch is available, implement strict input validation and sanitization on all user-supplied data that is reflected in the DOM, using secure coding practices to neutralize potentially malicious input. 3. Employ Content Security Policy (CSP) headers to restrict the execution of untrusted scripts and reduce the impact of XSS attacks. 4. Use security plugins or Web Application Firewalls (WAFs) that can detect and block XSS payloads targeting WordPress sites. 5. Educate users and administrators about the risks of clicking on suspicious links and encourage safe browsing habits. 6. Regularly audit and review custom code or third-party plugins for similar vulnerabilities. 7. Consider disabling or replacing the Bigmart Elements plugin if immediate patching is not feasible and the risk is unacceptable.