CVE-2024-51624

The Já-Já Pagamentos for WooCommerce plugin (versions up to and including 1.3.0) contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript into a page, which is then reflected back to the user without proper sanitization.

Exploitation requires user interaction: an attacker must trick a privileged user (such as an administrator) into clicking a crafted link or visiting a specially prepared page [1]. The injected script executes in the context of the victim's browser session, leveraging their authenticated access to the WordPress admin area.

Successful exploitation enables the attacker to perform actions on behalf of the victim, such as creating new admin accounts, modifying site content, or stealing session cookies [1]. Additionally, the injected payload can redirect visitors to malicious sites or display unwanted advertisements, compromising the integrity of the affected website.

As of the publication date, no official patch has been released for version 1.3.0. Users are advised to update the plugin as soon as a patched version becomes available. In the interim, Patchstack offers a virtual patch to block exploitation attempts [1]. Given the potential for mass exploitation, immediate action is recommended.