Stored DOM-Based Cross-Site Scripting Vulnerability in Finale Lite Plugin by WordPress
CVE-2024-12589
5.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 12 March 2025
What is CVE-2024-12589?
The Finale Lite – Sales Countdown Timer & Discount for WooCommerce plugin is susceptible to Stored DOM-Based Cross-Site Scripting vulnerabilities due to inadequate input sanitization and output escaping mechanisms. This flaw permits authenticated users, with Contributor-level permissions and higher, to inject malicious web scripts into the countdown timer feature. Consequently, these scripts may execute on user pages whenever accessed, posing significant risks to site security and user integrity.
Affected Version(s)
Finale Lite – Sales Countdown Timer & Discount for WooCommerce * <= 2.19.0