CVE-2024-3990 – This stored XSS vulnerability in the HT Mega Wo... (How to Fix)

Q: What is the severity of CVE-2024-3990?

CVE-2024-3990 has a CVSS score of 6.4 (MEDIUM). This stored XSS vulnerability in the HT Mega WordPress plugin allows authenticated attackers with contributor-level access or higher to inject malicious scripts into web pages. The scripts execute when users visit the compromised pages, potentially stealing session cookies, redirecting users, or performing actions on their behalf. All WordPress sites using HT Mega plugin versions up to 2.5.0 are affected.

📋 TL;DR

This stored XSS vulnerability in the HT Mega WordPress plugin allows authenticated attackers with contributor-level access or higher to inject malicious scripts into web pages. The scripts execute when users visit the compromised pages, potentially stealing session cookies, redirecting users, or performing actions on their behalf. All WordPress sites using HT Mega plugin versions up to 2.5.0 are affected.

💻 Affected Systems

Products:

HT Mega - Absolute Addons For Elementor WordPress plugin

Versions: All versions up to and including 2.5.0

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with Elementor page builder and the HT Mega plugin installed. Contributor-level access or higher is needed to exploit.

📦 What is this software?

Ht Mega by Hasthemes

View all CVEs affecting Ht Mega →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, take over the WordPress site, install backdoors, deface the site, or redirect users to malicious sites.

🟠

Likely Case

Attackers with contributor access inject malicious scripts that steal user session cookies or redirect visitors to phishing pages.

🟢

If Mitigated

With proper user role management and input validation, the risk is limited to trusted contributors who might accidentally trigger the vulnerability.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access (contributor role or higher). The vulnerability is in the Tooltip & Popover widget where user-supplied attributes aren't properly sanitized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5.1

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3074490%40ht-mega-for-elementor&new=3074490%40ht-mega-for-elementor&sfp_email=&sfph_mail=#file4

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'HT Mega - Absolute Addons For Elementor'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.5.1+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Disable Tooltip & Popover Widget

all

Temporarily disable the vulnerable widget until patching is possible

Edit WordPress theme functions.php and add: add_filter('elementor/widgets/register', function($widgets_manager) { $widgets_manager->unregister('htmega-tooltip'); });

Restrict Contributor Access

all

Temporarily remove contributor role access or limit to trusted users only

Use WordPress role management plugins like 'User Role Editor' to modify permissions

🧯 If You Can't Patch

Remove the HT Mega plugin entirely and use alternative Elementor addons
Implement strict Content Security Policy (CSP) headers to mitigate XSS impact

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins → HT Mega version. If version is 2.5.0 or lower, you are vulnerable.

Check Version:

wp plugin get ht-mega-for-elementor --field=version (if WP-CLI installed)

Verify Fix Applied:

After updating, verify the plugin version shows 2.5.1 or higher in WordPress admin plugins page.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-admin/admin-ajax.php with tooltip/popover parameters
Multiple failed login attempts followed by successful contributor-level login

Network Indicators:

Unexpected JavaScript payloads in page responses containing tooltip or popover attributes

SIEM Query:

source="wordpress.log" AND ("htmega_tooltip" OR "tooltip widget" OR "popover widget") AND ("script" OR "javascript" OR "onclick")

📊 Metadata

CVE ID: CVE-2024-3990

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: May 14, 2024

Last Updated: January 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3990, you might also want to check these: