The HT Mega – Absolute Addons For Elementor plugin for WordPress suffers from a stored cross-site scripting vulnerability due to improper neutralization of input during web page generation. Specifically, the parameters 'marker_title', 'notification_content', and 'stt_button_text' are not properly sanitized or escaped, allowing authenticated users with Contributor or higher privileges to inject arbitrary scripts. These scripts execute in the context of users viewing the compromised pages. The vulnerability affects all versions up to and including 2.8.3, with a partial patch applied in version 2.8.3. The CVSS v3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, required privileges at the contributor level, no user interaction, and impact on confidentiality and integrity but not availability.

Successful exploitation allows an authenticated user with Contributor-level access or higher to inject and store malicious scripts that execute in the browsers of users who visit the affected pages. This can lead to unauthorized disclosure of information and modification of content within the context of the affected site. There is no direct impact on availability. The vulnerability is rated medium severity with a CVSS score of 6.4.

A partial patch was introduced in version 2.8.3 of the plugin. However, since the patch is partial, users should verify with the vendor or official sources whether a complete fix is available or planned. Until a full fix is confirmed, restrict Contributor-level access to trusted users only and consider additional input validation or output escaping measures. Patch status is not yet confirmed as fully resolved — check the vendor advisory for current remediation guidance.