CVE-2024-12599 is a stored cross-site scripting vulnerability identified in the HT Mega – Absolute Addons For Elementor plugin for WordPress, specifically within its Countdown widget. The vulnerability arises from insufficient sanitization and escaping of user-supplied input attributes, allowing malicious scripts to be stored in the website's content. Authenticated attackers with contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages using the vulnerable widget. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the affected site. The vulnerability affects all plugin versions up to and including 2.8.1. The CVSS 3.1 base score is 7.2, reflecting a high severity due to network attack vector, low attack complexity, no privileges required beyond contributor access, no user interaction needed, and a scope change. Although no public exploits are currently known, the vulnerability's nature and ease of exploitation make it a significant risk for WordPress sites using this plugin. The issue is categorized under CWE-79, which covers improper neutralization of input during web page generation, a common vector for XSS attacks. The vulnerability compromises confidentiality and integrity but does not impact availability. The plugin's widespread use in WordPress environments increases the potential attack surface globally.

The vulnerability allows attackers with contributor-level access to inject persistent malicious scripts into web pages, which execute in the browsers of any users visiting those pages. This can lead to theft of session cookies, enabling account takeover or privilege escalation, defacement of website content, unauthorized actions performed on behalf of users, and potential distribution of malware. For organizations, this undermines user trust, can lead to data breaches, and may result in regulatory compliance violations. Since WordPress powers a significant portion of the web, and HT Mega is a popular plugin, the scope of impact is broad. Attackers do not require high privileges or complex techniques, increasing the likelihood of exploitation. The vulnerability affects confidentiality and integrity of data but does not disrupt service availability. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate it, as proof-of-concept exploits may emerge. Organizations running affected versions face reputational damage, potential financial loss, and operational disruption if exploited.

Organizations should immediately update the HT Mega – Absolute Addons For Elementor plugin to a version that addresses this vulnerability once available. In the absence of an official patch, administrators should consider disabling or removing the Countdown widget to prevent exploitation. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting this plugin can provide interim protection. Review and restrict contributor-level user permissions to minimize the risk of malicious content injection. Conduct thorough audits of existing content for injected scripts and remove any suspicious code. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. Regularly monitor logs and user activity for signs of exploitation attempts. Educate content contributors about the risks of injecting untrusted code and enforce strict input validation policies. Finally, maintain up-to-date backups to enable rapid recovery if an attack occurs.