CVE-2024-12597 is a stored cross-site scripting (XSS) vulnerability identified in the HT Mega – Absolute Addons For Elementor plugin for WordPress, which is widely used to extend Elementor page builder functionality. The vulnerability exists in all versions up to and including 2.7.6 and stems from improper neutralization of input during web page generation, specifically within the 'block_css' and 'inner_css' parameters. These parameters are insufficiently sanitized and escaped, allowing an attacker with at least Contributor-level privileges to inject arbitrary JavaScript code into pages. Because the injected scripts are stored persistently, they execute every time a user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users. The vulnerability requires authenticated access but no user interaction, increasing its risk in environments with multiple contributors or editors. The CVSS 3.1 score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, and privileges required. The scope is changed (S:C) because the vulnerability can affect other users beyond the attacker. No patches or exploit code are currently publicly available, but the risk remains significant due to the plugin’s popularity and the common presence of Contributor-level users on WordPress sites. Mitigation requires either updating the plugin when a patch is released or applying strict input validation and output encoding on the affected parameters.

The primary impact of this vulnerability is the potential for persistent cross-site scripting attacks on WordPress sites using the HT Mega plugin. Exploitation can lead to theft of authentication cookies, enabling session hijacking and unauthorized actions on behalf of legitimate users. It can also facilitate privilege escalation if combined with other vulnerabilities or social engineering. The integrity of site content can be compromised through defacement or injection of malicious content. Although availability impact is low, the reputational damage and potential data breaches can be significant. Organizations with multiple contributors or editors are at higher risk, as attackers only need Contributor-level access. Given the widespread use of Elementor and its addons, many websites globally could be affected, including corporate, e-commerce, and informational sites. This vulnerability could be leveraged in targeted attacks against organizations relying on WordPress for their web presence, potentially exposing sensitive user data or enabling further compromise within the network.

1. Monitor for an official patch from devitemsllc and apply it immediately once available. 2. Until a patch is released, restrict Contributor-level access to trusted users only and audit existing user roles to minimize risk. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting 'block_css' and 'inner_css' parameters. 4. Use security plugins that provide XSS protection and content sanitization for WordPress. 5. Conduct regular security reviews and code audits for customizations involving CSS or script injection in the plugin. 6. Educate site administrators and contributors about the risks of injecting untrusted content and enforce strict content policies. 7. Consider disabling or limiting the use of the vulnerable plugin features if feasible until a patch is applied. 8. Monitor site logs and user activity for signs of exploitation or unusual behavior related to page content changes.