HT Mega - Absolute Addons For Elementor Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the HT Mega - Absolute Addons For Elementor plugin for WordPress, affecting all versions through 2.8.3. The vulnerability arises from inadequate input sanitization and output escaping, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts. These scripts are executed when a user accesses the compromised page. The issue is present in the 'marker_title', 'notification_content', and 'stt_button_text' parameters.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can inject scripts through the 'marker_title', 'notification_content', or 'stt_button_text' parameters. Once the scripts are injected, they will be executed when the page is viewed by any user.

Remediation

Users are advised to update the HT Mega - Absolute Addons For Elementor plugin to version 2.8.4 or later.