Stored Cross-Site Scripting Vulnerability in HT Mega – Absolute Addons for Elementor Plugin
CVE-2024-12599

7.2HIGH

Key Information:

Vendor
Devitemsllc
Status
Ht Mega – Absolute Addons For Elementor
Vendor
CVE Published:
11 February 2025

Summary

The HT Mega – Absolute Addons For Elementor plugin for WordPress possesses a vulnerability that allows for Stored Cross-Site Scripting through its Countdown widget. This issue arises from inadequate input sanitization and output escaping of user-supplied attributes. Authenticated attackers, with contributor-level access or higher, can exploit this vulnerability to inject arbitrary web scripts into pages. These scripts execute when a user views a compromised page, potentially leading to unauthorized access or data theft.

Affected Version(s)

HT Mega – Absolute Addons For Elementor * <= 2.8.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset/3234495/ht-m...

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

D.Sim
.