CVE-2024-12599
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into pages using the HT Mega plugin's Countdown widget. The scripts are stored and execute whenever users view the compromised pages, potentially stealing credentials or performing unauthorized actions. All WordPress sites using HT Mega plugin versions up to 2.8.1 are affected.
💻 Affected Systems
- HT Mega – Absolute Addons For Elementor WordPress plugin
📦 What is this software?
Ht Mega by Hasthemes
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, redirect users to malicious sites, deface websites, or perform actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Attackers with contributor access inject malicious scripts that steal user session cookies or credentials, leading to account takeover and limited site manipulation.
If Mitigated
With proper user access controls and content security policies, impact is limited to defacement or minor data leakage from affected pages only.
🎯 Exploit Status
Requires authenticated user with at least contributor privileges. Exploitation involves manipulating Countdown widget attributes in page/post editor.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.8.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3234495/ht-mega-for-elementor
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'HT Mega – Absolute Addons For Elementor'. 4. Click 'Update Now' if update available. 5. Alternatively, download latest version from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Restrict User Roles
allLimit contributor and author roles to trusted users only, and review existing users with these permissions.
Content Security Policy
allImplement CSP headers to restrict script execution sources and reduce XSS impact.
🧯 If You Can't Patch
- Disable HT Mega plugin completely until patched
- Remove contributor and author access for untrusted users
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for HT Mega version. If version is 2.8.1 or lower, system is vulnerable.Check Version:
wp plugin list --name='ht-mega-for-elementor' --field=versionVerify Fix Applied:
After updating, verify HT Mega plugin version shows 2.8.2 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/post.php with Countdown widget parameters
- Multiple page edits by contributor-level users in short time
Network Indicators:
- Unexpected script tags in page responses containing 'htmega-countdown' class or attributes
SIEM Query:
source="wordpress.log" AND ("htmega-countdown" OR "Countdown" AND "widget") AND status=200