CVE-2025-1802
📋 TL;DR
This stored XSS vulnerability in the HT Mega WordPress plugin allows authenticated attackers with Contributor access or higher to inject malicious scripts into website pages. When users visit compromised pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. All WordPress sites using HT Mega plugin versions up to 2.8.3 are affected.
💻 Affected Systems
- HT Mega – Absolute Addons For Elementor WordPress plugin
📦 What is this software?
Ht Mega by Hasthemes
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers inject malicious scripts to steal user session cookies, perform actions as authenticated users, or display phishing content.
If Mitigated
With proper input validation and output escaping, malicious scripts are neutralized before reaching users' browsers.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once access is obtained. The vulnerability details are publicly documented in WordPress plugin repository changesets.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2.8.3
Vendor Advisory: https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'HT Mega – Absolute Addons For Elementor'. 4. Click 'Update Now' if available, or download latest version from WordPress repository. 5. Activate updated plugin.
🔧 Temporary Workarounds
Disable vulnerable plugin features
allTemporarily disable the affected widgets (Google Maps, Notify, Scroll-to-Top) until patched
Restrict user roles
allLimit Contributor and higher role assignments to trusted users only
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Deploy web application firewall (WAF) rules to detect and block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → HT Mega version. If version is 2.8.3 or lower, system is vulnerable.Check Version:
wp plugin list --name='ht-mega-for-elementor' --field=versionVerify Fix Applied:
After updating, verify plugin version is higher than 2.8.3. Test affected parameters with basic XSS payloads to confirm sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to plugin endpoints containing script tags or JavaScript in marker_title, notification_content, or stt_button_text parameters
- Multiple failed authentication attempts followed by successful Contributor-level login
Network Indicators:
- Outbound connections to suspicious domains from WordPress pages
- Unexpected script tags in HTTP responses from plugin endpoints
SIEM Query:
source="wordpress.log" AND ("marker_title" OR "notification_content" OR "stt_button_text") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")🔗 References
- https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/trunk/extensions/scroll-to-top/assets/js/htmega-scroll-to-top.js
- https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/trunk/includes/widgets/htmega_googlemap.php
- https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/trunk/includes/widgets/htmega_notify.php
- https://plugins.trac.wordpress.org/changeset/3249106/
- https://plugins.trac.wordpress.org/changeset/3257530/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/68530904-22d2-4228-b9f2-76f5ee1fd541?source=cve
