CVE-2024-51920 is a DOM-based Cross-site Scripting (XSS) vulnerability identified in the Pierre Jégo Map Store Locator plugin, which is used to display store locations on websites. The vulnerability stems from improper neutralization of user-supplied input during web page generation, specifically within the client-side DOM environment. This allows attackers to craft malicious URLs or inputs that, when processed by the vulnerable plugin, inject and execute arbitrary JavaScript code in the context of the victim's browser. Unlike traditional reflected or stored XSS, DOM-based XSS occurs entirely on the client side, making detection and mitigation more challenging. The affected versions include all releases up to and including 1.2.1. Exploitation does not require authentication, increasing the attack surface, but does require user interaction such as clicking a malicious link or visiting a compromised page. Although no active exploits have been reported, the vulnerability poses a significant risk because it can be leveraged to steal session cookies, perform actions on behalf of the user, or deliver further malware. The lack of a CVSS score necessitates a severity assessment based on impact and exploitability factors. The vulnerability impacts confidentiality and integrity primarily, with potential secondary effects on availability if leveraged for broader attacks. The plugin is commonly used in e-commerce and retail websites globally, especially in countries with high WordPress adoption. The vulnerability was published on November 19, 2024, and no official patches or fixes have been linked yet, emphasizing the need for proactive mitigation.

The primary impact of CVE-2024-51920 is the compromise of user confidentiality and integrity through the execution of arbitrary scripts in the victim's browser. Attackers can steal sensitive information such as session cookies, authentication tokens, or personal data, leading to account takeover or unauthorized transactions. Additionally, attackers may perform actions on behalf of the user, such as changing account settings or initiating fraudulent activities. The vulnerability could also be used as a vector for delivering malware or redirecting users to malicious sites, further escalating the threat. For organizations, this can result in reputational damage, loss of customer trust, regulatory penalties, and financial losses. Since the vulnerability affects a plugin widely used in e-commerce and retail sectors, the risk extends to a broad range of businesses that rely on the Map Store Locator for customer engagement. The absence of known exploits in the wild currently limits immediate risk, but the ease of exploitation and lack of authentication requirements mean the threat could rapidly escalate once weaponized. The scope of affected systems includes any website running the vulnerable plugin version, potentially numbering in the thousands worldwide.

1. Monitor for official patches or updates from the Pierre Jégo Map Store Locator plugin vendor and apply them promptly once released. 2. In the absence of an official patch, implement manual input validation and sanitization on all user-supplied data processed by the plugin, especially data that influences DOM manipulation. 3. Employ strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS payloads. 4. Use security plugins or web application firewalls (WAFs) that can detect and block malicious payloads targeting DOM-based XSS vulnerabilities. 5. Educate users and administrators about the risks of clicking unknown or suspicious links that could exploit this vulnerability. 6. Conduct regular security audits and penetration testing focusing on client-side script injection vulnerabilities. 7. Consider temporarily disabling or replacing the Map Store Locator plugin with alternative solutions until a secure version is available. 8. Implement HTTP-only and secure flags on cookies to reduce the risk of session hijacking via XSS. 9. Review and harden website code to avoid unsafe DOM manipulation patterns that could be exploited.