Listen to this Post
How CVE-2025-1802 Works
The HT Mega plugin for WordPress fails to properly sanitize user-supplied input in the marker_, notification_content, and `sttt_button_text` parameters. Attackers with Contributor-level permissions or higher can inject malicious JavaScript payloads into these fields. When an administrator or other privileged user views a page containing the compromised widget, the script executes in their browser, potentially leading to session hijacking, admin takeover, or defacement. The vulnerability stems from insecure rendering via `echo` or similar functions without `esc_html()` or equivalent output escaping.
DailyCVE Form:
Platform: WordPress
Version: ≤ 2.8.3
Vulnerability: Stored XSS
Severity: Medium
Date: 03/26/2025
What Undercode Say:
Exploitation:
1. Payload Injection:
<script>alert(document.cookie)</script>
Insert via `marker_` in HT Mega widgets.
2. CSRF + XSS:
Combine with a fake admin request to escalate attacks.
Detection:
grep -r "echo.marker_" /path/to/ht-mega/
Mitigation:
1. Patch: Upgrade to HT Mega ≥ 2.8.4.
2. Input Sanitization:
$clean_ = sanitize_text_field($_POST[bash]);
3. Output Escaping:
echo esc_html($marker_);
WAF Rule (ModSecurity):
SecRule ARGS "@rx <script" "id:1005,deny,msg:'XSS Attempt'"
WordPress Hardening:
add_filter('wp_kses_allowed_html', 'restrict_scripts');
function restrict_scripts($tags) {
unset($tags[bash]);
return $tags;
}
References:
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-1802
Extra Source Hub:
Undercode
