CVE-2024-5173 in HT Mega Plugin
Summary
by MITRE • 06/26/2024
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Video player widget settings in all versions up to, and including, 2.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/22/2025
The CVE-2024-5173 vulnerability affects the HT Mega – Absolute Addons For Elementor WordPress plugin, specifically targeting the Video player widget functionality. This security flaw represents a critical stored cross-site scripting vulnerability that exists in all plugin versions up to and including 2.5.5. The vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's video player widget settings implementation. Attackers exploiting this weakness can inject malicious scripts that persist in the application's database, making the vulnerability particularly dangerous as it can affect multiple users over time.
The technical nature of this vulnerability aligns with CWE-79 which describes Cross-Site Scripting flaws occurring when untrusted data is improperly escaped or sanitized before being rendered in web pages. The vulnerability specifically impacts the plugin's handling of user-supplied attributes within the Video player widget configuration interface. When authenticated users with contributor-level access or higher manipulate these widget settings, they can inject malicious JavaScript code that gets stored in the WordPress database. This stored script executes whenever any user accesses pages containing the compromised widget, creating a persistent threat vector.
Operational impact of CVE-2024-5173 extends beyond simple script injection, as it provides attackers with potential access to user sessions and data. Since the vulnerability requires only contributor-level privileges, it can be exploited by users who have moderate access to WordPress sites, including content editors and authors. The stored nature of the XSS payload means that victims do not need to be actively interacting with the compromised page for the attack to succeed. This vulnerability can enable attackers to steal cookies, session tokens, or redirect users to malicious sites, potentially leading to complete account compromise or data exfiltration. The impact is particularly severe in environments where multiple users regularly access content management interfaces.
Mitigation strategies for CVE-2024-5173 should prioritize immediate plugin updates to versions that address the stored XSS vulnerability. Administrators should implement the principle of least privilege by restricting user access levels to prevent unauthorized modifications to plugin settings. Additionally, input validation and output escaping mechanisms should be strengthened through proper sanitization of all user-supplied data before storage. Security monitoring should include detection of suspicious widget configurations and unexpected script injections in content. Organizations should also consider implementing content security policies to limit script execution capabilities in web browsers. The vulnerability demonstrates the importance of proper input validation as outlined in OWASP Top Ten and aligns with ATT&CK technique T1566 which covers the use of malicious content to gain initial access to systems through web application vulnerabilities.