{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1802", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-28T23:31:37.947Z", "datePublished": "2025-03-20T11:11:27.417Z", "dateUpdated": "2026-04-08T16:58:26.689Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:26.689Z"}, "affected": [{"vendor": "devitemsllc", "product": "HT Mega Addons for Elementor \u2013 Elementor Widgets & Template Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.8.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The HT Mega \u2013 Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018marker_title\u2019, 'notification_content', and 'stt_button_text' parameters in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.3."}], "title": "HT Mega \u2013 Absolute Addons For Elementor <= 2.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/68530904-22d2-4228-b9f2-76f5ee1fd541?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/trunk/extensions/scroll-to-top/assets/js/htmega-scroll-to-top.js"}, {"url": "https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/trunk/includes/widgets/htmega_googlemap.php"}, {"url": "https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/trunk/includes/widgets/htmega_notify.php"}, {"url": "https://plugins.trac.wordpress.org/changeset/3249106/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3257530/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "timeline": [{"time": "2025-03-19T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-20T13:11:48.467363Z", "id": "CVE-2025-1802", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-20T13:12:57.440Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1802", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-20T13:11:48.467363Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-20T13:12:50.357Z"}}], "cna": {"title": "HT Mega \u2013 Absolute Addons For Elementor <= 2.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets", "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "devitemsllc", "product": "HT Mega \u2013 Absolute Addons For Elementor", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.8.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-19T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/68530904-22d2-4228-b9f2-76f5ee1fd541?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/trunk/extensions/scroll-to-top/assets/js/htmega-scroll-to-top.js"}, {"url": "https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/trunk/includes/widgets/htmega_googlemap.php"}, {"url": "https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/trunk/includes/widgets/htmega_notify.php"}, {"url": "https://plugins.trac.wordpress.org/changeset/3249106/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3257530/"}], "descriptions": [{"lang": "en", "value": "The HT Mega \u2013 Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018marker_title\u2019, 'notification_content', and 'stt_button_text' parameters in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-03-20T11:11:27.417Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1802", "state": "PUBLISHED", "dateUpdated": "2025-03-20T13:12:57.440Z", "dateReserved": "2025-02-28T23:31:37.947Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-20T11:11:27.417Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hasthemes:ht_mega:*:*:*:*:free:wordpress:*:*", "matchCriteriaId": "F816488A-BF55-4194-BAB8-348CCBDE1942", "versionEndExcluding": "2.8.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The HT Mega \u2013 Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018marker_title\u2019, 'notification_content', and 'stt_button_text' parameters in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.3."}, {"lang": "es", "value": "El complemento HT Mega \u2013 Absolute Addons para Elementor para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s de los par\u00e1metros 'marker_title', 'notification_content' y 'stt_button_text' en todas las versiones hasta la 2.8.3 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en las p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada. La vulnerabilidad se corrigi\u00f3 parcialmente en la versi\u00f3n 2.8.3."}], "id": "CVE-2025-1802", "lastModified": "2025-03-26T18:22:17.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-20T12:15:14.413", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/trunk/extensions/scroll-to-top/assets/js/htmega-scroll-to-top.js"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/trunk/includes/widgets/htmega_googlemap.php"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/trunk/includes/widgets/htmega_notify.php"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3249106/"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3257530/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/68530904-22d2-4228-b9f2-76f5ee1fd541?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T21:49:29.915191+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest HT Mega plugin version that removes the XSS vectors (any release newer than 2.8.3).", "If an upgrade is unavailable, immediately revoke Contributor or higher roles from all users and remove the vulnerable widgets.", "Configure WordPress to strip or encode user\u2011supplied HTML in widget content, for example by enforcing stricter sanitization or using a security plugin that blocks script tags."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting via contributor\u2011level plugin input"}, "threat_synthesis": {"affected_systems": "WordPress sites running the HT Mega \u2013 Absolute Addons For Elementor plugin by devitemsllc, all versions up to and including 2.8.3. The plugin adds widgets and templates to Elementor and is accessible via the WordPress administration interface.", "description_and_impact": "The HT Mega \u2013 Absolute Addons For Elementor plugin contains a stored XSS vulnerability that allows authenticated users with Contributor or higher access to inject arbitrary scripts through the marker_title, notification_content and stt_button_text parameters. When a victim opens a page containing the injected content, the stored script executes in the victim\u2019s browser, enabling data theft, session hijacking, or defacement. The weakness is a classic case of insufficient input sanitization leading to CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.4 classifies this as a moderate severity issue, but the EPSS score of less than 1\u202f% indicates low likelihood of active exploitation at present. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires the attacker to have authenticated Contributor access and to modify widget parameters within the plugin\u2019s editor. Successful exploitation results in client\u2011side script execution on any user who views the affected page."}}}}, "created": "2026-04-21T22:00:26.594002+00:00", "updated": "2026-04-21T22:00:26.594019+00:00", "vendors": []}