CVE-2024-3990 is a stored cross-site scripting vulnerability identified in the HT Mega – Absolute Addons For Elementor plugin for WordPress, specifically affecting the Tooltip & Popover Widget in all versions up to and including 2.5.0. The root cause is improper neutralization of input during web page generation (CWE-79), where user-supplied attributes are not adequately sanitized or escaped before being rendered. This allows authenticated attackers with contributor-level permissions or higher to inject arbitrary JavaScript payloads into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim. The vulnerability requires authentication but no additional user interaction once the payload is stored. The CVSS 3.1 base score of 6.4 reflects a medium severity with network attack vector, low attack complexity, and partial confidentiality and integrity impact but no availability impact. No public exploits are currently known, but the widespread use of WordPress and Elementor plugins increases the potential attack surface. The vulnerability underscores the importance of proper input validation and output encoding in web applications, especially in plugins that handle user-generated content.

The primary impact of this vulnerability is the potential for stored cross-site scripting attacks, which can compromise the confidentiality and integrity of user sessions and data. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, enabling theft of authentication cookies, defacement, or unauthorized actions. This can lead to account takeover, data leakage, or further compromise of the WordPress environment. Although availability is not directly affected, the reputational damage and potential for downstream attacks can be significant. Organizations relying on this plugin for their WordPress sites, especially those with multiple contributors or editors, face increased risk. The vulnerability could be leveraged in targeted attacks against high-value websites or in broader campaigns exploiting popular plugins. Since no public exploits are known yet, early mitigation can prevent exploitation and reduce risk.

1. Immediately update the HT Mega – Absolute Addons For Elementor plugin to a version that patches this vulnerability once available. Monitor vendor announcements for official fixes. 2. If an update is not yet available, restrict contributor-level and higher permissions to trusted users only, minimizing the risk of malicious script injection. 3. Implement a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting the Tooltip & Popover Widget parameters. 4. Conduct a thorough audit of existing content created with the vulnerable widget to identify and remove any injected malicious scripts. 5. Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS by restricting script sources. 6. Educate site administrators and contributors about the risks of XSS and safe content practices. 7. Regularly back up website data to enable recovery in case of compromise. 8. Monitor logs and user activity for suspicious behavior indicative of exploitation attempts.