Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Mega – Absolute Addons for WPBakery Page Builder ht-mega-for-wpbakery allows DOM-Based XSS.This issue affects HT Mega – Absolute Addons for WPBakery Page Builder: from n/a through <= 1.0.9.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The HT Mega – Absolute Addons for WPBakery Page Builder plugin has a DOM‑based cross‑site scripting weakness caused by improper neutralization of user input during web page generation. Against affected versions this flaw permits an attacker to inject malicious scripts through crafted input that is rendered without adequate sanitization. Successful exploitation could allow the attacker to execute code in the context of a victim’s browser, facilitating session hijacking, credential theft, or defacement of the site.

Affected Systems

Any WordPress site that has the HT Mega – Absolute Addons for WPBakery Page Builder plugin installed with a version number of 1.0.9 or earlier. The vulnerability applies to all releases through that version boundary.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity vulnerability, while the EPSS score of less than 1% signals a very low likelihood of real‑world exploitation at present. The issue is not listed in the CISA KEV catalog. The attack vector is inferred to be via any user‑controllable input that the plugin renders without proper escaping, such as custom block content or widget fields. An attacker would supply a malicious payload that is then executed when the page loads in a victim’s browser.

Generated by OpenCVE AI on April 30, 2026 at 15:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest version of HT Mega – Absolute Addons for WPBakery Page Builder to remove the vulnerability.
  • If an immediate upgrade is not possible, disable or remove any features that accept user‑generated content rendered by the plugin and clear the site cache.
  • Configure a web application firewall to block requests containing known XSS payload patterns until a patch can be applied.

Generated by OpenCVE AI on April 30, 2026 at 15:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30743 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Mega – Absolute Addons for WPBakery Page Builder allows DOM-Based XSS. This issue affects HT Mega – Absolute Addons for WPBakery Page Builder: from n/a through 1.0.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Mega – Absolute Addons for WPBakery Page Builder allows DOM-Based XSS. This issue affects HT Mega – Absolute Addons for WPBakery Page Builder: from n/a through 1.0.9. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Mega – Absolute Addons for WPBakery Page Builder ht-mega-for-wpbakery allows DOM-Based XSS.This issue affects HT Mega – Absolute Addons for WPBakery Page Builder: from n/a through <= 1.0.9.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Ht Plugins
Ht Plugins absolute Addons For Wpbakery Page Builder
Wordpress
Wordpress wordpress
Wpbakery
Wpbakery page Builder
Wpbakery wpbakery Page Builder
Vendors & Products Ht Plugins
Ht Plugins absolute Addons For Wpbakery Page Builder
Wordpress
Wordpress wordpress
Wpbakery
Wpbakery page Builder
Wpbakery wpbakery Page Builder

Mon, 22 Sep 2025 18:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Mega – Absolute Addons for WPBakery Page Builder allows DOM-Based XSS. This issue affects HT Mega – Absolute Addons for WPBakery Page Builder: from n/a through 1.0.9.
Title WordPress HT Mega – Absolute Addons for WPBakery Page Builder Plugin <= 1.0.9 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Ht Plugins Absolute Addons For Wpbakery Page Builder
Wordpress Wordpress
Wpbakery Page Builder Wpbakery Page Builder
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:25.585Z

Reserved: 2025-06-30T10:46:37.789Z

Link: CVE-2025-53463

cve-icon Vulnrichment

Updated: 2025-09-23T20:30:23.579Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:15:43.493

Modified: 2026-04-23T15:32:34.650

Link: CVE-2025-53463

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T15:15:06Z

Weaknesses