CVE-2025-1802 in HT Mega Plugin
Summary
by MITRE • 03/20/2025
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘marker_title’, 'notification_content', and 'stt_button_text' parameters in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.3.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/27/2025
The HT Mega – Absolute Addons For Elementor plugin represents a popular WordPress extension that enhances Elementor page builder capabilities with additional widgets and features. This particular vulnerability affects versions up to and including 2.8.3, where the plugin fails to adequately sanitize user inputs before storing them in the database. The vulnerability stems from insufficient input validation and output escaping mechanisms within the plugin's codebase, creating a persistent XSS attack vector that can be exploited by authenticated users with contributor-level privileges or higher.
The technical flaw manifests through three specific parameters: 'marker_title', 'notification_content', and 'stt_button_text' which are all susceptible to cross-site scripting attacks. When these parameters receive malicious input containing script tags or other executable code, the plugin stores this unfiltered content without proper sanitization. The vulnerability is classified as stored XSS because the malicious scripts are permanently saved in the database and executed whenever legitimate users access pages containing the injected content. This type of vulnerability allows attackers to bypass normal security restrictions and execute arbitrary code in the context of the victim's browser, potentially leading to session hijacking, data theft, or further compromise of the WordPress installation.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to perform various malicious activities including credential theft, session manipulation, and privilege escalation within the WordPress environment. Since the vulnerability requires only contributor-level access, it represents a significant risk to WordPress sites where multiple users have editing privileges, particularly those that do not implement proper role-based access controls or user monitoring. The partial patch applied in version 2.8.3 suggests that while some mitigation measures were implemented, the vulnerability may still persist in certain scenarios or may not fully address all attack vectors within the affected parameters.
Organizations should prioritize immediate remediation by updating to the latest available version of the HT Mega plugin, which addresses the identified XSS vulnerabilities through enhanced input sanitization and output escaping mechanisms. Security administrators should also implement additional monitoring and access control measures to limit user privileges and regularly audit plugin installations for known vulnerabilities. The vulnerability aligns with CWE-79 which defines Cross-Site Scripting as a critical security weakness, and may map to ATT&CK technique T1059.007 for script execution, highlighting the need for comprehensive security controls beyond simple patch management. Organizations should consider implementing Content Security Policy headers and regular security scanning of their WordPress installations to detect and prevent similar vulnerabilities in other plugins or themes that may be susceptible to similar input validation flaws.