CVE-2024-51624: 
WordPress vulnerability analysis and mitigation

The Já-Já Pagamentos for WooCommerce plugin for WordPress contains a Reflected Cross-Site Scripting (XSS) vulnerability (CVE-2024-51624) affecting versions up to and including 1.3.0. The vulnerability was discovered on March 17, 2025, and stems from insufficient input sanitization and output escaping in the plugin (WPScan).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue (CWE-79) that allows unauthenticated attackers to inject arbitrary web scripts into pages. The vulnerability has received a CVSS v3.1 score of 7.1 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (Patchstack).

Successful exploitation of this vulnerability could allow attackers to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website. These injected scripts would execute when users visit the affected site, potentially compromising user data and website integrity (Patchstack).

Currently, there is no known official fix available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available (Patchstack).