CVE-2024-4876 identifies a stored Cross-Site Scripting vulnerability in the HT Mega – Absolute Addons For Elementor plugin for WordPress, specifically in the handling of the 'popover_header_text' parameter. This vulnerability stems from insufficient input validation and output encoding, classified under CWE-79, which allows malicious scripts to be stored persistently in the website's content. An attacker with contributor-level permissions or higher can inject arbitrary JavaScript code into pages via this parameter. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on behalf of the victim. The vulnerability affects all versions up to and including 2.5.2 of the plugin. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, requiring privileges but no user interaction, with a scope change and limited confidentiality and integrity impact but no availability impact. Although no public exploits are currently known, the vulnerability's presence in a widely used WordPress plugin makes it a significant risk for websites using this addon. The lack of available patches at the time of publication necessitates immediate mitigation efforts by administrators.

The primary impact of this vulnerability is the compromise of confidentiality and integrity of user sessions and data on affected WordPress sites. Attackers can execute arbitrary scripts in the context of the vulnerable site, leading to session hijacking, theft of sensitive information, defacement, or unauthorized actions such as changing content or user settings. Since the vulnerability requires contributor-level access, attackers might exploit weak account controls or compromised credentials to gain initial access. The scope change in the CVSS vector indicates that the vulnerability can affect components beyond the initially compromised plugin, potentially impacting the entire site or other integrated services. For organizations relying on this plugin, especially those with high traffic or sensitive user data, exploitation could lead to reputational damage, data breaches, and regulatory consequences. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits rapidly once the vulnerability is public.

Administrators should immediately upgrade the HT Mega – Absolute Addons For Elementor plugin to a patched version once available. Until a patch is released, restrict contributor-level and higher permissions to trusted users only, and audit existing user accounts for suspicious activity. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'popover_header_text' parameter. Employ Content Security Policy (CSP) headers to limit script execution sources, reducing the impact of injected scripts. Regularly monitor logs for unusual behavior or injection attempts. Additionally, sanitize and validate all user inputs on the server side and ensure output encoding is correctly applied in custom code or templates that interact with this plugin. Conduct security awareness training for site administrators and users with elevated privileges to recognize phishing or social engineering attempts that could lead to account compromise.