CVE-2025-8151: 
WordPress vulnerability analysis and mitigation

The HT Mega – Absolute Addons For Elementor WordPress plugin is vulnerable to Path Traversal in versions up to and including 2.9.1. The vulnerability exists in the 'saveblockcss' function, which allows authenticated attackers with Author-level access or above to create CSS files in any directory and delete CSS files in any directory in a Windows environment (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The issue stems from improper limitation of a pathname to a restricted directory (CWE-22) in the plugin's file management functionality. The vulnerability specifically affects the 'saveblockcss' function located in the ManageStyles.php file ([WordPress Plugin](https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/tags/2.9.1/htmega-blocks/includes/classes/ManageStyles.php#L118)).

When exploited, this vulnerability allows authenticated attackers with Author-level privileges or higher to manipulate CSS files across any directory in a Windows environment. This includes both the creation and deletion of CSS files, potentially leading to unauthorized file operations and system manipulation (NVD).

The vulnerability has been addressed in version 2.9.2 of the plugin. Users are advised to update to this version which includes security improvements and fixes for the path traversal vulnerability (WordPress Plugin).