HT Mega Absolute Addons for Elementor Path Traversal Vulnerability Allowing Arbitrary CSS File Manipulation

A path traversal vulnerability has been identified in the HT Mega – Absolute Addons For Elementor plugin for WordPress, affecting all versions through 2.9.1. The vulnerability arises in the 'save_block_css' function, where authenticated attackers with Author-level access or higher can create and delete CSS files in any directory on a Windows environment.

Impact

Exploitation of this vulnerability allows for unauthorized creation and deletion of CSS files, which could be used to inject malicious styles or disrupt the appearance of a website.

Reproduction

To reproduce this vulnerability, an authenticated user with Author-level access or higher can send a POST request to the 'save_css' endpoint of the WordPress REST API. The request must include the 'post_id' parameter, specifying the ID of the post or resource to which the CSS should be applied. The 'block_css' parameter can be used to specify the CSS content to be saved. The vulnerability can be exploited by manipulating the 'post_id' parameter to traverse directories and save CSS files in unintended locations.

Remediation

Users are advised to update the HT Mega – Absolute Addons For Elementor plugin to version 2.9.2 or later.