CVE-2024-51918 identifies a DOM-based Cross-site Scripting (XSS) vulnerability in the Freshlight Lab Pay With Stripe plugin, a payment gateway integration for websites. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, specifically within the client-side DOM context. This flaw allows attackers to inject malicious JavaScript code that executes in the victim's browser when they interact with the affected web pages. Unlike reflected or stored XSS, DOM-based XSS occurs entirely on the client side, making it harder to detect and mitigate without proper client-side input handling. The affected versions include all releases up to and including version 1.2.1. Exploiting this vulnerability could enable attackers to steal cookies, session tokens, or other sensitive information, perform unauthorized actions on behalf of users, or redirect users to malicious sites. Although no public exploits have been reported yet, the vulnerability is significant due to the common use of Stripe payment integrations in e-commerce and online services. The lack of a CVSS score indicates that the vulnerability is newly disclosed, and vendors have not yet released patches. The vulnerability was reserved and published in early November 2024, indicating recent discovery. The plugin’s widespread use in online payment processing makes this a critical concern for website operators using this plugin.

The impact of CVE-2024-51918 is considerable for organizations relying on the Freshlight Lab Pay With Stripe plugin for payment processing. Successful exploitation can compromise the confidentiality of user data, including payment information and session credentials, leading to potential financial fraud and identity theft. Integrity can be affected as attackers may manipulate client-side scripts to perform unauthorized transactions or alter displayed content. Availability impact is generally low but could arise if attackers use the vulnerability to inject disruptive scripts. The threat extends to customer trust and brand reputation, as users affected by XSS attacks may lose confidence in the security of the affected websites. Organizations operating e-commerce platforms or any online services integrating this plugin face increased risk of targeted attacks, especially in regions with high online payment adoption. The absence of known exploits suggests a window of opportunity for proactive mitigation before widespread exploitation occurs.

To mitigate CVE-2024-51918, organizations should first monitor Freshlight Lab’s official channels for patches and apply updates promptly once available. Until patches are released, implement strict client-side input validation and sanitization to prevent malicious script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Review and harden the configuration of the Pay With Stripe plugin, disabling any unnecessary features that process user input. Conduct thorough security testing, including automated and manual DOM-based XSS detection, on all pages utilizing the plugin. Educate developers and administrators about secure coding practices related to client-side scripting and input handling. Additionally, consider deploying Web Application Firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting this plugin. Regularly audit logs and monitor for suspicious activity indicative of exploitation attempts.