CVE-2025-13141

Name of the Vulnerable Software and Affected Versions HT Mega – Absolute Addons For Elementor plugin for WordPress versions prior to 3.0.0

Description The HT Mega – Absolute Addons For Elementor plugin for WordPress is susceptible to Stored Cross-Site Scripting through its Gutenberg blocks. This is caused by inadequate input validation of user-provided HTML tag names, specifically a missing tag name whitelist. Dangerous tags such as script, iframe, and object can be injected despite the use of tag escape() for sanitization. While some blocks utilize esc html() for content, this can be circumvented using JavaScript encoding techniques like unquoted strings, backticks, and String.fromCharCode(). Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages, which will execute when a user accesses the affected page.

Recommendations Update the HT Mega – Absolute Addons For Elementor plugin to version 3.0.0 or later.