Description
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.9.1 via the 'save_block_css' function. This makes it possible for authenticated attackers, with Author-level access and above, to create CSS files in any directory, and delete CSS files in any directory in a Windows environment.
Published: 2025-07-31
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file creation and deletion via path traversal in HT Mega plugin
Action: Patch
AI Analysis

Impact

The HT Mega plugin for WordPress has a path traversal vulnerability in the save_block_css method that lets an authenticated user with author or higher privileges create or delete CSS files in any directory on a Windows installation. The flaw enables the attacker to overwrite existing style files or remove them, which can alter the appearance of the website or be a stepping stone for further attacks. This weakness is a classic path traversal (CWE-22) and does not provide remote code execution directly.

Affected Systems

The vulnerability affects devitemsllc's HT Mega Addons for Elementor – Elementor Widgets & Template Builder, versions up to and including 2.9.1 in the free WordPress distribution. It is confirmed on Windows environments; other operating systems have not been verified.

Risk and Exploitability

The CVSS score is 4.3, indicating low severity, and the EPSS score is below 1%, meaning exploitation probability is currently minimal. The vulnerability is not in the CISA KEV catalog. Exploitation requires the attacker to be authenticated with author-level or higher access and to be able to invoke the save_block_css operation, likely through the plugin's UI or crafted requests. The risk is confined to compromised or malicious users with sufficient privileges, as the attack vector is internal and depends on authenticated access.

Generated by OpenCVE AI on April 21, 2026 at 19:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the HT Mega plugin to a version newer than 2.9.1 if available.
  • If an update cannot be applied, deactivate or uninstall the plugin from the WordPress installation.
  • Limit author and higher privileges to trusted users only and review existing role assignments.
  • Monitor the plugin’s activity logs for unusual CSS file creation or deletion events.

Generated by OpenCVE AI on April 21, 2026 at 19:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23264 The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.9.1 via the 'save_block_css' function. This makes it possible for authenticated attackers, with Author-level access and above, to create CSS files in any directory, and delete CSS files in any directory in a Windows environment.
History

Wed, 13 Aug 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Hasthemes
Hasthemes ht Mega
CPEs cpe:2.3:a:hasthemes:ht_mega:*:*:*:*:free:wordpress:*:*
Vendors & Products Hasthemes
Hasthemes ht Mega

Thu, 31 Jul 2025 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor elementor
Wordpress
Wordpress wordpress
Vendors & Products Elementor
Elementor elementor
Wordpress
Wordpress wordpress

Thu, 31 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 31 Jul 2025 11:30:00 +0000

Type Values Removed Values Added
Description The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.9.1 via the 'save_block_css' function. This makes it possible for authenticated attackers, with Author-level access and above, to create CSS files in any directory, and delete CSS files in any directory in a Windows environment.
Title HT Mega – Absolute Addons For Elementor <= 2.9.1 - Authenticated (Author+) Path Traversal to Limited Arbitrary CSS File Actions
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Elementor Elementor
Hasthemes Ht Mega
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:59.318Z

Reserved: 2025-07-24T23:07:55.088Z

Link: CVE-2025-8151

cve-icon Vulnrichment

Updated: 2025-07-31T14:11:00.705Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-31T12:15:26.820

Modified: 2025-08-13T19:32:22.077

Link: CVE-2025-8151

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:45:16Z

Weaknesses