CVE-2024-51712 Overview
CVE-2024-51712 is a reflected Cross-Site Scripting (XSS) vulnerability in the Jigoshop – Store Toolkit plugin for WordPress, developed by Michael Visser. The flaw affects all versions up to and including 1.4.0. The plugin fails to properly neutralize user-supplied input during web page generation, enabling attackers to inject malicious scripts that execute in a victim's browser. The vulnerability is tracked under CWE-79. Successful exploitation requires user interaction, typically achieved by tricking an authenticated user into clicking a crafted link.
Critical Impact
Attackers can execute arbitrary JavaScript in the context of a victim's browser session, leading to session theft, credential harvesting, or actions performed on behalf of administrators.
Affected Products
- Jigoshop – Store Toolkit (jigoshop-store-toolkit) WordPress plugin
- All versions from n/a through 1.4.0
- WordPress installations using the vulnerable plugin
Discovery Timeline
- 2024-11-09 - CVE-2024-51712 published to the National Vulnerability Database
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2024-51712
Vulnerability Analysis
The Jigoshop – Store Toolkit plugin fails to sanitize or escape user-controllable input before reflecting it back in HTTP responses. An attacker crafts a URL containing JavaScript payloads in parameters processed by the plugin. When a victim clicks the link, the server reflects the unsanitized payload into the rendered page, where the browser executes it within the site's origin.
Because the scope is changed (S:C in the CVSS vector), the injected script can affect resources beyond the vulnerable component, including other plugin contexts and the WordPress administrative interface. The EPSS probability is 0.231% at the 45.74 percentile, indicating low observed exploitation activity at the time of analysis.
Root Cause
The root cause is improper neutralization of input during web page generation, classified as [CWE-79]. The plugin accepts request parameters and emits them into HTML output without applying context-appropriate escaping functions such as esc_html(), esc_attr(), or wp_kses(). WordPress provides these sanitization primitives, but the plugin code path does not invoke them before rendering reflected values.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker hosts or distributes a malicious URL pointing to the WordPress site running the vulnerable plugin. When an authenticated user, particularly an administrator, follows the link, the injected JavaScript executes with the privileges of that user session. Typical payloads exfiltrate session cookies, perform forced actions through the WordPress REST API, or pivot to plant persistent backdoors via plugin or theme editing.
No public proof-of-concept exploit code is available in the referenced advisory. Refer to the Patchstack Vulnerability Report for additional technical context.
Detection Methods for CVE-2024-51712
Indicators of Compromise
- HTTP request logs containing URL parameters with encoded <script> tags, javascript: URIs, or event handlers such as onerror= and onload=
- Unexpected administrative actions originating from administrator sessions shortly after clicking external links
- Outbound requests from browser sessions to attacker-controlled domains carrying cookie or token values
Detection Strategies
- Inspect WordPress access logs for query strings targeting jigoshop-store-toolkit endpoints with reflected HTML or JavaScript syntax
- Deploy a Web Application Firewall (WAF) rule set that flags reflected XSS patterns in GET and POST parameters
- Correlate referer headers with suspicious payload signatures to identify phishing-driven exploitation attempts
Monitoring Recommendations
- Enable WordPress audit logging to capture plugin configuration changes and administrative account modifications
- Monitor browser console errors and Content Security Policy (CSP) violation reports for blocked inline script execution
- Track plugin version inventories across WordPress deployments to identify hosts running jigoshop-store-toolkit at or below version 1.4.0
How to Mitigate CVE-2024-51712
Immediate Actions Required
- Deactivate the Jigoshop – Store Toolkit plugin on all WordPress sites until a fixed release is verified
- Audit administrator accounts for unauthorized changes, new users, or modified plugins and themes
- Rotate WordPress administrator passwords and invalidate active sessions to revoke any stolen authentication cookies
Patch Information
At the time of publication, the advisory indicates the issue affects Jigoshop – Store Toolkit through version 1.4.0 with no fixed version listed. Site operators should consult the Patchstack Vulnerability Report for updates on a remediated release.
Workarounds
- Remove the jigoshop-store-toolkit plugin directory from wp-content/plugins/ if a patched version is unavailable
- Enforce a strict Content Security Policy (CSP) that disallows inline scripts and untrusted script sources
- Restrict administrative panel access by IP allowlist or VPN to reduce exposure to phishing-delivered XSS links
# Configuration example: disable the vulnerable plugin via WP-CLI
wp plugin deactivate jigoshop-store-toolkit
wp plugin delete jigoshop-store-toolkit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
