VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 32 known issues Latest disclosed Nov 20, 2025

HT Mega Addons for Elementor – Elementor Widgets & Template Builder Vulnerabilities

Review known vulnerability records for the WordPress plugin HT Mega Addons for Elementor – Elementor Widgets & Template Builder (`ht-mega-for-elementor`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-13141, CVE-2025-54695 and CVE-2025-8401, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
32
High or Critical
3
Patch Coverage
100%
Last Updated
Mar 27, 2026
Priority CVE Quick Links

Fast paths into HT Mega Addons for Elementor – Elementor Widgets & Template Builder CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
32
CVE-2023-37999 Critical 2.2.1
CVE-2023-37999 HT Mega Addons for Elementor – Elementor Widgets & Template Builder Privilege Escalation

HT Mega – Absolute Addons for Elementor <= 2.2.0 - Missing Authorization to Privilege Escalation

CVE-2024-1974 High 2.4.7
CVE-2024-1974 HT Mega Addons for Elementor – Elementor Widgets & Template Builder Vulnerability

HT Mega – Absolute Addons For Elementor <= 2.4.5 - Authenticated (Contributor+) Directory Traversal

CVE-2023-6214 High 2.4.7
CVE-2023-6214 HT Mega Addons for Elementor – Elementor Widgets & Template Builder Sensitive Information Exposure

HT Mega – Absolute Addons For Elementor <= 2.4.6 - Sensitive Information Exposure via purchased_products

CVE-2025-13141 Medium 3.0.1
CVE-2025-13141 HT Mega Addons for Elementor – Elementor Widgets & Template Builder Stored Cross-Site Scripting

HT Mega – Absolute Addons For Elementor <= 3.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Tag Attribute Injection

CVE-2025-1802 Medium 2.8.4
CVE-2025-1802 HT Mega Addons for Elementor – Elementor Widgets & Template Builder Stored Cross-Site Scripting

HT Mega – Absolute Addons For Elementor <= 2.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

CVE-2025-1261 Medium 2.8.3
CVE-2025-1261 HT Mega Addons for Elementor – Elementor Widgets & Template Builder Stored Cross-Site Scripting

HT Mega – Absolute Addons For Elementor <= 2.8.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Countdown Widget

CVE-2024-12599 Medium 2.8.2
CVE-2024-12599 HT Mega Addons for Elementor – Elementor Widgets & Template Builder Stored Cross-Site Scripting

HT Mega – Absolute Addons For Elementor <= 2.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget

CVE-2024-12597 Medium 2.7.7
CVE-2024-12597 HT Mega Addons for Elementor – Elementor Widgets & Template Builder Stored Cross-Site Scripting

HT Mega <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via block_css and inner_css

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for HT Mega Addons for Elementor – Elementor Widgets & Template Builder so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
32 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
1 critical and 2 high severity findings.
Recent CVEs
CVE-2025-13141, CVE-2025-54695 and CVE-2025-8401
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for HT Mega Addons for Elementor – Elementor Widgets & Template Builder

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2025-13141
CVE-2025-13141: HT Mega – Absolute Addons For Elementor <= 3.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Tag Attribute Injection

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Gutenberg blocks in all versions up to, and including, 3.0.0 due to insufficient input validation on user-supplied HTML tag names. This is due to the lac...

Published
Nov 20, 2025
Patched Release
3.0.1
Affected Versions
Versions up to 3.0.0
Next Step
Update to 3.0.1 or newer if supported.
Open CVE-2025-13141 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-54695
CVE-2025-54695: HT Mega <= 2.9.0 - Missing Authorization

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.9.0. This makes it possible for authenticated attackers, with Contributor-level access and...

Published
Jul 30, 2025
Patched Release
2.9.1
Affected Versions
Versions up to 2.9.0
Next Step
Update to 2.9.1 or newer if supported.
Open CVE-2025-54695 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-8401
CVE-2025-8401: HT Mega – Absolute Addons For Elementor <= 2.9.1 - Authenticated (Author+) Sensitive Information Exposure

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.1 via the 'get_post_data' function. This makes it possible for authenticated attackers, with Author-level access and above, t...

Published
Jul 30, 2025
Patched Release
2.9.2
Affected Versions
Versions up to 2.9.1
Next Step
Update to 2.9.2 or newer if supported.
Open CVE-2025-8401 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-8068
CVE-2025-8068: HT Mega – Absolute Addons For Elementor <= 2.9.1 - Improper Authorization to Authenticated (Contributor+) Limited Administrator Actions

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to an improper capability check on the 'ajax_trash_templates' function in all versions up to, and including, 2.9.1. This makes it possible for authenti...

Published
Jul 30, 2025
Patched Release
2.9.2
Affected Versions
Versions up to 2.9.1
Next Step
Update to 2.9.2 or newer if supported.
Open CVE-2025-8068 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-8151
CVE-2025-8151: HT Mega – Absolute Addons For Elementor <= 2.9.1 - Authenticated (Author+) Path Traversal to Limited Arbitrary CSS File Actions

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.9.1 via the 'save_block_css' function. This makes it possible for authenticated attackers, with Author-level access and above, to create CSS fi...

Published
Jul 30, 2025
Patched Release
2.9.2
Affected Versions
Versions up to 2.9.1
Next Step
Update to 2.9.2 or newer if supported.
Open CVE-2025-8151 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-1802
CVE-2025-1802: HT Mega – Absolute Addons For Elementor <= 2.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘marker_title’, 'notification_content', and 'stt_button_text' parameters in all versions up to, and including, 2.8.3 due to insufficient input sanitization and ou...

Published
Mar 19, 2025
Patched Release
2.8.4
Affected Versions
Versions up to 2.8.3
Next Step
Update to 2.8.4 or newer if supported.
Open CVE-2025-1802 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-1261
CVE-2025-1261: HT Mega – Absolute Addons For Elementor <= 2.8.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Countdown Widget

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping on user supplied attrib...

Published
Mar 07, 2025
Patched Release
2.8.3
Affected Versions
Versions up to 2.8.2
Next Step
Update to 2.8.3 or newer if supported.
Open CVE-2025-1261 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-12599
CVE-2024-12599: HT Mega – Absolute Addons For Elementor <= 2.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 2.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This...

Published
Feb 10, 2025
Patched Release
2.8.2
Affected Versions
Versions up to 2.8.1
Next Step
Update to 2.8.2 or newer if supported.
Open CVE-2024-12599 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-12597
CVE-2024-12597: HT Mega <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via block_css and inner_css

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'block_css' and 'inner_css' parameters in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping. This makes it possi...

Published
Feb 03, 2025
Patched Release
2.7.7
Affected Versions
Versions up to 2.7.6
Next Step
Update to 2.7.7 or newer if supported.
Open CVE-2024-12597 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-8910
CVE-2024-8910: HT Mega – Absolute Addons For Elementor <= 2.6.5 - Authenticated (Contributor+) Sensitive Information Exposure via template_id

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.5 via the render function in includes/widgets/htmega_accordion.php. This makes it possible for authenticated attackers, with...

Published
Sep 24, 2024
Patched Release
2.6.6
Affected Versions
Versions up to 2.6.5
Next Step
Update to 2.6.6 or newer if supported.
Open CVE-2024-8910 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-38706
CVE-2024-38706: HT Mega <= 2.5.7 - Authenticated (Contributor+) JSON File Directory Traversal

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.5.7. This makes it possible for unauthenticated attackers to perform actions on JSON files outside of the originally intended directory.

Published
Jul 11, 2024
Patched Release
2.5.8
Affected Versions
Versions up to 2.5.7
Next Step
Update to 2.5.8 or newer if supported.
Open CVE-2024-38706 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-5215
CVE-2024-5215: HT Mega – Absolute Addons For Elementor <= 2.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 2.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it pos...

Published
Jun 25, 2024
Patched Release
2.5.6
Affected Versions
Versions up to 2.5.5
Next Step
Update to 2.5.6 or newer if supported.
Open CVE-2024-5215 Report Open CVE Reference