The HT Mega – Absolute Addons For Elementor plugin for WordPress suffers from a stored cross-site scripting vulnerability (CWE-79) due to improper neutralization of input during web page generation. Specifically, the plugin fails to whitelist HTML tag names in user input within Gutenberg blocks, allowing injection of dangerous tags such as 'script', 'iframe', and 'object'. Although the plugin uses tag_escape() and esc_html() for sanitization, these measures are insufficient and can be bypassed using JavaScript encoding techniques like unquoted strings, backticks, and String.fromCharCode(). This vulnerability enables authenticated attackers with contributor or higher privileges to inject arbitrary JavaScript that executes in the context of users viewing the compromised pages. The CVSS 3.1 base score is 6.4 (medium severity), with network attack vector, low attack complexity, and no user interaction required.

An attacker with contributor-level access or higher can inject malicious scripts into pages via Gutenberg blocks, which execute when other users access those pages. This can lead to limited confidentiality and integrity impacts, such as theft of session tokens or manipulation of page content. There is no reported impact on availability. The vulnerability requires authentication but no user interaction beyond viewing the injected page.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict contributor-level access to trusted users only and consider disabling or limiting use of the vulnerable Gutenberg blocks. Monitor for updates from devitemsllc regarding patches or official mitigations.