VYPR

Ht Mega

by WordPress

Source repositories

CVEs (13)

  • CVE-2024-38706MedJul 12, 2024
    risk 0.42cvss 6.5epss 0.01

    Path Traversal: '.../...//' vulnerability in DevItems HT Mega ht-mega-for-elementor.This issue affects HT Mega: from n/a through <= 2.5.7.

  • CVE-2024-5173MedJun 26, 2024
    risk 0.42cvss 6.4epss 0.00

    The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Video player widget settings in all versions up to, and including, 2.5.5 due to insufficient input sanitization and output escaping on user supplied…

  • CVE-2024-3990MedMay 14, 2024
    risk 0.42cvss 6.4epss 0.00

    The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Tooltip & Popover Widget in all versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping on user supplied attributes.…

  • CVE-2024-3989MedMay 14, 2024
    risk 0.42cvss 6.4epss 0.00

    The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Gallery Justify Widget in all versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping on user supplied…

  • CVE-2024-3308MedMay 2, 2024
    risk 0.42cvss 6.4epss 0.00

    The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Grid widget's attributes in all versions up to, and including, 2.4.9 due to insufficient input sanitization and output escaping. This makes it possible…

  • CVE-2024-2790MedMay 2, 2024
    risk 0.42cvss 6.4epss 0.00

    The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Accordion widget in all versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it…

  • CVE-2024-30182MedMar 27, 2024
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DevItems HT Mega ht-mega-for-elementor.This issue affects HT Mega: from n/a through <= 2.4.3.

  • CVE-2025-13141MedNov 21, 2025
    risk 0.35cvss 6.4epss 0.00

    The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Gutenberg blocks in all versions up to, and including, 3.0.0 due to insufficient input validation on user-supplied HTML tag names. This is due to the…

  • CVE-2024-12599MedFeb 11, 2025
    risk 0.35cvss 6.4epss 0.00

    The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 2.8.1 due to insufficient input sanitization and output escaping on user supplied attributes.…

  • CVE-2024-2084MedMay 2, 2024
    risk 0.35cvss 6.4epss 0.00

    The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's lightbox widget in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping on user supplied attributes.…

  • CVE-2021-24261MedMay 5, 2021
    risk 0.35cvss 5.4epss 0.01

    The “HT Mega – Absolute Addons for Elementor Page Builder” WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.

  • CVE-2024-8910MedSep 25, 2024
    risk 0.21cvss 4.3epss 0.00

    The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.5 via the render function in includes/widgets/htmega_accordion.php. This makes it possible for authenticated attackers,…

  • CVE-2024-4875MedMay 21, 2024
    risk 0.21cvss 4.3epss 0.01

    The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized modification of data|loss of data due to a missing capability check on the 'ajax_dismiss' function in versions up to, and including, 2.5.2. This makes it possible for authenticated…

VYPR — Vulnerability Intelligence