Stored DOM-Based Cross-Site Scripting Vulnerability in Finale Lite Plugin by WordPress
CVE-2024-12589

5.4MEDIUM

Key Information:

Vendor

WordPress
Status
Finale Lite – Sales Countdown Timer & Discount For WooCommerce
Vendor
CVE Published:
12 March 2025

What is CVE-2024-12589?

The Finale Lite – Sales Countdown Timer & Discount for WooCommerce plugin is susceptible to Stored DOM-Based Cross-Site Scripting vulnerabilities due to inadequate input sanitization and output escaping mechanisms. This flaw permits authenticated users, with Contributor-level permissions and higher, to inject malicious web scripts into the countdown timer feature. Consequently, these scripts may execute on user pages whenever accessed, posing significant risks to site security and user integrity.

Affected Version(s)

Finale Lite – Sales Countdown Timer & Discount for WooCommerce * <= 2.19.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset/3247611/fina...

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Craig Smith
.
The Cyber Security Vulnerability Database.