CVE-2024-5215: 
WordPress vulnerability analysis and mitigation

The HT Mega – Absolute Addons For Elementor WordPress plugin (versions up to and including 2.5.5) contains a Stored Cross-Site Scripting vulnerability that affects multiple widgets. The vulnerability was discovered on June 25, 2024, and was assigned CVE-2024-5215. The issue stems from insufficient input sanitization and output escaping on user-supplied attributes (NVD).

The vulnerability is classified as a CWE-79 (Improper Neutralization of Input During Web Page Generation) issue. It has received a CVSS v3.1 base score of 5.4 (Medium) from NIST with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence assigned a slightly higher score of 6.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the affected page (NVD).

The vulnerability has been patched in version 2.5.6 of the plugin. Users are advised to update to this version or later to mitigate the security risk (WordPress Plugin).