CVE-2025-13141 is a stored cross-site scripting vulnerability identified in the HT Mega – Absolute Addons For Elementor plugin for WordPress, affecting all versions up to and including 3.0.0. The vulnerability stems from improper neutralization of input during web page generation (CWE-79). Specifically, the plugin fails to enforce a whitelist on HTML tag names supplied by users within Gutenberg blocks, allowing injection of dangerous tags such as <script>, <iframe>, and <object>. Although the plugin attempts sanitization using tag_escape(), this method is insufficient because it does not restrict tag names to safe values. Additionally, while some blocks use esc_html() to sanitize content, attackers can bypass this using JavaScript encoding techniques like unquoted strings, backticks, or String.fromCharCode(). Exploitation requires authenticated access at contributor level or higher, enabling attackers to inject persistent malicious scripts into pages. These scripts execute in the context of any user viewing the compromised page, potentially leading to session hijacking, defacement, or further attacks. The vulnerability has a CVSS v3.1 score of 6.4, reflecting medium severity with network attack vector, low attack complexity, and no user interaction required. No public exploits are currently known. The vulnerability was published on November 21, 2025, and assigned by Wordfence. No official patches have been linked yet, highlighting the urgency for mitigation.

This vulnerability allows authenticated users with contributor-level access or higher to inject persistent malicious JavaScript into WordPress pages using the affected plugin. The injected scripts execute in the browsers of any visitors to the compromised pages, potentially leading to theft of session cookies, user credentials, or other sensitive information. It can also facilitate site defacement, unauthorized actions on behalf of users, or distribution of malware. For organizations, this undermines the confidentiality and integrity of their websites and user data, damages reputation, and may lead to regulatory compliance issues. Since the plugin is popular among WordPress sites using Elementor, a wide range of websites including corporate, e-commerce, and informational portals could be affected globally. The attack requires authenticated access but no user interaction beyond page viewing, increasing the risk of exploitation by insiders or compromised accounts. The lack of a patch at the time of disclosure prolongs exposure. Although no known exploits are reported in the wild, the medium severity score and ease of exploitation warrant urgent attention to prevent potential compromise.

1. Immediately restrict contributor-level user permissions to trusted individuals only, minimizing the risk of malicious script injection. 2. Monitor and audit content created or edited by contributors for suspicious HTML tags or scripts. 3. Disable or remove the HT Mega – Absolute Addons For Elementor plugin until an official patch is released. 4. If disabling the plugin is not feasible, implement a web application firewall (WAF) with custom rules to detect and block requests containing dangerous HTML tags or JavaScript payloads in Gutenberg blocks. 5. Employ Content Security Policy (CSP) headers to restrict execution of inline scripts and loading of untrusted resources, mitigating impact of injected scripts. 6. Regularly update WordPress core, themes, and plugins, and subscribe to vendor security advisories for timely patching once available. 7. Educate site administrators and contributors about the risks of injecting untrusted HTML and the importance of secure content practices. 8. Conduct thorough security reviews and penetration testing focusing on user-generated content areas to detect similar vulnerabilities. These steps go beyond generic advice by focusing on access control, monitoring, temporary plugin removal, and layered defenses to reduce risk until a patch is available.