Stored DOM-Based Cross-Site Scripting Vulnerability in Finale Lite Plugin by WordPress
CVE-2024-12589

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Finale Lite – Sales Countdown Timer & Discount For WooCommerce
Vendor: CVE Published:; 12 March 2025

What is CVE-2024-12589?

The Finale Lite – Sales Countdown Timer & Discount for WooCommerce plugin is susceptible to Stored DOM-Based Cross-Site Scripting vulnerabilities due to inadequate input sanitization and output escaping mechanisms. This flaw permits authenticated users, with Contributor-level permissions and higher, to inject malicious web scripts into the countdown timer feature. Consequently, these scripts may execute on user pages whenever accessed, posing significant risks to site security and user integrity.

Affected Version(s)

Finale Lite – Sales Countdown Timer & Discount for WooCommerce * <= 2.19.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3247611/fina...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 12, 2025
Vulnerability Reserved
Dec 12, 2024

Credit

Craig Smith

JSON