CVE-2025-53206

The vulnerability is a Stored Cross-Site Scripting (XSS) flaw in the HT Mega – Absolute Addons for WPBakery Page Builder WordPress plugin (versions up to and including 1.0.8). The root cause is improper neutralization of user-supplied input during web page generation, allowing malicious scripts to be permanently stored on the server [1].

Exploitation requires an authenticated user with contributor-level privileges or higher to inject a crafted payload into a page or post using the vulnerable plugin's components. Successful injection does not require direct user interaction from the victim; the malicious script executes automatically when any visitor accesses the affected page [1].

An attacker can leverage this vulnerability to inject arbitrary HTML and JavaScript, enabling actions such as redirecting visitors to malicious sites, displaying unauthorized advertisements, stealing session cookies, or defacing the website. The CVSS v3 base score is 6.5 (Medium), reflecting the need for authentication but significant potential impact on confidentiality and integrity [1].

As a mitigation, the vendor released version 1.0.9 which resolves the issue. Users are strongly advised to update immediately. Patchstack auto-update functionality is available for subscribers. No workaround is documented, and the vendor notes that while this is a low-severity exposure, similar XSS flaws are frequently used in mass-exploit campaigns [1].