CVE-2024-12599: 
WordPress vulnerability analysis and mitigation

The HT Mega – Absolute Addons For Elementor WordPress plugin has been identified with a Stored Cross-Site Scripting vulnerability (CVE-2024-12599). The vulnerability affects all versions up to and including 2.8.1, and was discovered and reported by researcher zer0gh0st. The issue specifically involves the plugin's Countdown widget, where insufficient input sanitization and output escaping of user-supplied attributes creates a security risk (NVD Database).

The vulnerability is classified as a CWE-79 (Improper Neutralization of Input During Web Page Generation) issue. It has received a CVSS v3.1 Base Score of 7.2 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N. The technical nature of the vulnerability stems from inadequate sanitization and escaping of user-supplied attributes in the Countdown widget component (NVD Database).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to data theft, session hijacking, or other malicious actions (NVD Database).

A fix has been implemented as evidenced by the WordPress plugin repository changelog (WordPress Plugin). Users are advised to update their installations to the latest version of the plugin to mitigate this vulnerability.