Plattform
wordpress
Komponente
ht-mega-for-elementor
Behoben in
2.9.2
CVE-2025-8151 describes a Path Traversal vulnerability found in the HT Mega Addons for Elementor plugin, a WordPress plugin designed to extend Elementor's functionality. This vulnerability allows authenticated attackers, possessing Author-level access or higher, to manipulate file paths and potentially compromise the server. The vulnerability impacts versions 0.0.0 through 2.9.1, and a patch is available in version 2.9.2.
The core impact of CVE-2025-8151 lies in the ability of an authenticated attacker to create and delete arbitrary CSS files on the server. While seemingly limited to CSS files, this can be leveraged to overwrite critical configuration files, inject malicious code, or gain further access to the underlying system. The vulnerability is specifically noted to function in Windows environments, suggesting potential exploitation of Windows-specific file system features. Successful exploitation could lead to complete server compromise, data exfiltration, and denial of service. This vulnerability shares similarities with other path traversal exploits where attackers leverage predictable file system structures to gain unauthorized access.
CVE-2025-8151 was publicly disclosed on 2025-07-31. No public proof-of-concept (PoC) code has been identified as of this writing. The vulnerability is not currently listed on the CISA KEV catalog. The EPSS score is pending evaluation, but the potential for server compromise suggests a medium to high probability of exploitation if left unpatched.
WordPress websites utilizing the HT Mega Addons for Elementor plugin, particularly those running older versions (0.0.0–2.9.1) and where users have Author-level or higher access, are at significant risk. Shared hosting environments where plugin updates are not managed centrally are also particularly vulnerable.
• wordpress / composer / npm:
grep -r "save_block_css" /var/www/html/wp-content/plugins/ht-mega-addons-for-elementor/• generic web:
curl -I http://your-wordpress-site.com/wp-content/plugins/ht-mega-addons-for-elementor/css/../../../../etc/passwd | head -n 1disclosure
Exploit-Status
EPSS
0.07% (21% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-8151 is to immediately upgrade the HT Mega Addons for Elementor plugin to version 2.9.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. Restrict file upload permissions for users with Author-level access or higher. Implement a Web Application Firewall (WAF) with rules to block requests containing suspicious path traversal patterns (e.g., '../'). Monitor server logs for unusual file creation or deletion activity, particularly in unexpected directories. After upgrading, confirm the fix by attempting to create a CSS file in a restricted directory using the vulnerable plugin functionality.
Actualice el plugin HT Mega Addons for Elementor a la versión 2.9.2 o superior para mitigar la vulnerabilidad de Path Traversal. Esta actualización corrige la forma en que se gestionan los archivos CSS, previniendo la creación y eliminación no autorizada de archivos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-8151 is a Path Traversal vulnerability affecting the HT Mega Addons for Elementor WordPress plugin, allowing authenticated attackers to manipulate files on the server.
You are affected if you are using HT Mega Addons for Elementor versions 0.0.0 through 2.9.1 and have users with Author-level access or higher.
Upgrade the HT Mega Addons for Elementor plugin to version 2.9.2 or later. Consider WAF rules and restricted file permissions as temporary workarounds.
As of now, there is no confirmed active exploitation, but the vulnerability's potential impact warrants immediate attention and patching.
Refer to the official HT Mega Addons website and WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.