CVE-2024-3307
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into pages using the HT Mega plugin's Countdown widget. The scripts are stored and execute whenever users view the compromised pages, potentially affecting all visitors. This affects all WordPress sites using HT Mega plugin versions up to 2.4.9.
💻 Affected Systems
- HT Mega - Absolute Addons For Elementor WordPress plugin
📦 What is this software?
Ht Mega by Hasthemes
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, deface websites, or perform actions on behalf of authenticated users, potentially leading to full site compromise.
Likely Case
Attackers with contributor access inject malicious scripts to steal user data, display unwanted content, or redirect visitors to phishing sites.
If Mitigated
With proper user access controls and content security policies, impact is limited to potential defacement of specific pages containing the vulnerable widget.
🎯 Exploit Status
Exploitation requires contributor-level WordPress access. The vulnerability is in the Countdown widget's attribute handling, making injection straightforward for authenticated attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.5.0 and later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'HT Mega - Absolute Addons For Elementor'. 4. Click 'Update Now' if available, or manually update to version 2.5.0+. 5. Clear any caching plugins or CDN caches.
🔧 Temporary Workarounds
Remove Contributor Access
allTemporarily restrict contributor-level users from creating or editing posts until patched.
Disable Countdown Widget
allRemove or disable the Countdown widget from all pages if immediate patching isn't possible.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution
- Review and audit all user accounts with contributor access or higher
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for HT Mega version. If version is 2.4.9 or lower, you are vulnerable.Check Version:
wp plugin list --name='ht-mega-for-elementor' --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 2.5.0 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress admin-ajax.php with Countdown widget parameters
- Multiple page edits by contributor users in short timeframes
Network Indicators:
- Script tags with unusual attributes in Countdown widget HTML output
- External script loads from unexpected domains on pages with Countdown widgets
SIEM Query:
source="wordpress.log" AND ("htmega_countdown" OR "Countdown widget") AND ("script" OR "onclick" OR "onload")🔗 References
- https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/trunk/includes/widgets/htmega_countdown.php#L1251
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3071480%40ht-mega-for-elementor%2Ftrunk&old=3063395%40ht-mega-for-elementor%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c8452e54-7a81-4921-b531-8cb3b0953dab?source=cve
- https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/trunk/includes/widgets/htmega_countdown.php#L1251
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3071480%40ht-mega-for-elementor%2Ftrunk&old=3063395%40ht-mega-for-elementor%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c8452e54-7a81-4921-b531-8cb3b0953dab?source=cve
