WP-Safety

HT Mega – Absolute Addons for WPBakery Page Builder Security & Risk Analysis

wordpress.org/plugins/ht-mega-for-wpbakery

The HTMega is a WPBakery Page builder addons package for WPBakery Page Builder plugin for WordPress.

900 active installs v1.1.0 PHP 5.6+ WP 5.0+ Updated Dec 4, 2025
mega-addonswpbakerywpbakery-addonswpbakery-page-builder
98
A · Safe
CVEs total2
Unpatched0
Last CVESep 22, 2025
Plugin page Download
Safety Verdict

Is HT Mega – Absolute Addons for WPBakery Page Builder Safe to Use in 2026?

Generally Safe

Score 98/100

HT Mega – Absolute Addons for WPBakery Page Builder has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Sep 22, 2025Updated 5mo ago
Risk Assessment

The ht-mega-for-wpbakery plugin v1.1.0 exhibits a mixed security posture. On the positive side, all SQL queries utilize prepared statements, a significant portion of output is properly escaped, and there are no identified untainted flows or file operations. The plugin also has a reasonable number of entry points with a zero-count for unprotected ones, which is good. However, several concerning signals are present. The use of the 'create_function' is a notable risk, as this function is deprecated and can be a vector for code injection if used improperly. The absence of nonce checks across all entry points is a significant weakness, potentially allowing for Cross-Site Request Forgery (CSRF) attacks. The limited number of capability checks further exacerbates this risk, as it implies that actions might be performed without proper authorization.

The vulnerability history indicates a pattern of Cross-site Scripting (XSS) vulnerabilities, with two medium-severity CVEs recorded. While currently unpatched vulnerabilities are zero, the recurring nature of XSS suggests that input sanitization and output escaping practices, while generally good, may have overlooked specific edge cases. The last recorded vulnerability in 2025 suggests that the provided data might be future-dated or a placeholder, which complicates a precise assessment of current risk. Overall, the plugin has some strong security fundamentals in place, particularly regarding SQL and output handling, but the lack of nonce checks and the presence of 'create_function' represent critical areas for immediate improvement to mitigate potential XSS and CSRF risks.

Key Concerns

  • Use of deprecated and potentially dangerous create_function
  • No nonce checks found
  • Only 2 capability checks for 29 entry points
  • 2 Medium CVEs historically
  • 14% of output not properly escaped
Vulnerabilities
2 published

HT Mega – Absolute Addons for WPBakery Page Builder Security Vulnerabilities

CVEs by Year

2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-53463medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

HT Mega – Absolute Addons for WPBakery Page Builder <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 22, 2025 Patched in 1.1.0 (17d)
CVE-2025-53206medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

HT Mega – Absolute Addons for WPBakery Page Builder <= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 27, 2025 Patched in 1.0.9 (6d)
Version History

HT Mega – Absolute Addons for WPBakery Page Builder Release Timeline

v1.1.0Current
v1.0.91 CVE
CVE-2025-53463
v1.0.82 CVEs
CVE-2025-53206 CVE-2025-53463
v1.0.72 CVEs
CVE-2025-53206 CVE-2025-53463
v1.0.62 CVEs
CVE-2025-53206 CVE-2025-53463
v1.0.52 CVEs
CVE-2025-53206 CVE-2025-53463
Code Analysis
Analyzed Mar 16, 2026

HT Mega – Absolute Addons for WPBakery Page Builder Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
116
696 escaped
Nonce Checks
0
Capability Checks
2
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

create_function$callback = create_function('', 'echo "' . str_replace( '"', '\"', $section['desc'] ) . '";');admin\include\class.settings-api.php:105

Output Escaping

86% escaped812 total outputs
Attack Surface

HT Mega – Absolute Addons for WPBakery Page Builder Attack Surface

Entry Points29
Unprotected0

Shortcodes 29

[htmegavc_accordion] addons\accordion\htmegavc-accordion.php:13
[htmegavc_animated_heading] addons\animated-heading\htmegavc-animated-heading.php:13
[htmegavc_blockquote] addons\blockquote\htmegavc-blockquote.php:13
[htmegavc_brands] addons\brands\htmegavc-brands.php:13
[htmegavc_business_hours] addons\business-hours\htmegavc-business-hours.php:13
[htmegavc_button] addons\button\htmegavc-button.php:13
[htmegavc_cta] addons\call-to-action\htmegavc-call-to-action.php:13
[htmegavc_contact_form_seven] addons\contact-form-seven\htmegavc-contact-form-seven.php:13
[htmegavc_countdown] addons\countdown\htmegavc-countdown.php:13
[htmegavc_counter] addons\counter\htmegavc-counter.php:13
[htmegavc_dropcaps] addons\dropcaps\htmegavc-dropcaps.php:13
[htmegavc_google_map] addons\google-map\htmegavc-google-map.php:13
[htmegavc_image_comparison] addons\image-comparison\htmegavc-image-comparison.php:13
[htmegavc_image_grid] addons\image-grid\htmegavc-image-grid.php:13
[htmegavc_image_justify_gallery] addons\image-justify-gallery\htmegavc-image-justify-gallery.php:13
[htmegavc_image_magnifier] addons\image-magnifier\htmegavc-image-magnifier.php:12
[htmegavc_image_masonry] addons\image-masonry\htmegavc-image-masonry.php:13
[htmegavc_lightbox] addons\lightbox\htmegavc-lightbox.php:13
[htmegavc_mailchimp_for_wp] addons\mailchimp-for-wp\htmegavc-mailchimp-for-wp.php:13
[htmegavc_popover] addons\popover\htmegavc-popover.php:13
[htmegavc_pricing_table] addons\pricing-table\htmegavc-pricing-table.php:13
[htmegavc_progress_bar] addons\progress-bar\hemegavc-progress-bar.php:12
[htmegavc_section_title] addons\section-title\htmegavc-section-title.php:13
[htmegavc_thumb_gallery] addons\slider-thumb-gallery\htmegavc-slider-thumb-gallery.php:13
[htmegavc_team] addons\team\hemegavc-team.php:13
[htmegavc_testimonial] addons\testimonial\htmegavc-testimonial.php:13
[htmegavc_tooltip] addons\tooltip\htmegavc-tooltip.php:13
[htmegavc_vertical_timeline] addons\vertical-timeline\htmegavc-vertical-timeline.php:13
[htmegavc_video_player] addons\video-player\htmegavc-video-player.php:13
WordPress Hooks 67
actionvc_after_initaddons\accordion\htmegavc-accordion.php:10
actionwp_enqueue_scriptsaddons\accordion\htmegavc-accordion.php:16
actionvc_after_initaddons\animated-heading\htmegavc-animated-heading.php:10
actionwp_enqueue_scriptsaddons\animated-heading\htmegavc-animated-heading.php:16
actionvc_after_initaddons\blockquote\htmegavc-blockquote.php:10
actionwp_enqueue_scriptsaddons\blockquote\htmegavc-blockquote.php:16
actionvc_after_initaddons\brands\htmegavc-brands.php:10
actionwp_enqueue_scriptsaddons\brands\htmegavc-brands.php:16
actionvc_after_initaddons\business-hours\htmegavc-business-hours.php:10
actionwp_enqueue_scriptsaddons\business-hours\htmegavc-business-hours.php:16
actionvc_after_initaddons\button\htmegavc-button.php:10
actionwp_enqueue_scriptsaddons\button\htmegavc-button.php:16
actionvc_after_initaddons\call-to-action\htmegavc-call-to-action.php:10
actionwp_enqueue_scriptsaddons\call-to-action\htmegavc-call-to-action.php:16
actionvc_after_initaddons\contact-form-seven\htmegavc-contact-form-seven.php:10
actionwp_enqueue_scriptsaddons\contact-form-seven\htmegavc-contact-form-seven.php:16
actionvc_after_initaddons\countdown\htmegavc-countdown.php:10
actionwp_enqueue_scriptsaddons\countdown\htmegavc-countdown.php:16
actionvc_after_initaddons\counter\htmegavc-counter.php:10
actionwp_enqueue_scriptsaddons\counter\htmegavc-counter.php:16
actionvc_after_initaddons\dropcaps\htmegavc-dropcaps.php:10
actionwp_enqueue_scriptsaddons\dropcaps\htmegavc-dropcaps.php:16
actionvc_after_initaddons\google-map\htmegavc-google-map.php:10
actionwp_enqueue_scriptsaddons\google-map\htmegavc-google-map.php:16
actionvc_after_initaddons\image-comparison\htmegavc-image-comparison.php:10
actionwp_enqueue_scriptsaddons\image-comparison\htmegavc-image-comparison.php:16
actionvc_after_initaddons\image-grid\htmegavc-image-grid.php:10
actionwp_enqueue_scriptsaddons\image-grid\htmegavc-image-grid.php:16
actionvc_after_initaddons\image-justify-gallery\htmegavc-image-justify-gallery.php:10
actionwp_enqueue_scriptsaddons\image-justify-gallery\htmegavc-image-justify-gallery.php:16
actionvc_after_initaddons\image-magnifier\htmegavc-image-magnifier.php:9
actionwp_enqueue_scriptsaddons\image-magnifier\htmegavc-image-magnifier.php:15
actionvc_after_initaddons\image-masonry\htmegavc-image-masonry.php:10
actionwp_enqueue_scriptsaddons\image-masonry\htmegavc-image-masonry.php:16
actionvc_after_initaddons\lightbox\htmegavc-lightbox.php:10
actionwp_enqueue_scriptsaddons\lightbox\htmegavc-lightbox.php:16
actionvc_after_initaddons\mailchimp-for-wp\htmegavc-mailchimp-for-wp.php:10
actionwp_enqueue_scriptsaddons\mailchimp-for-wp\htmegavc-mailchimp-for-wp.php:16
actionvc_after_initaddons\popover\htmegavc-popover.php:10
actionwp_enqueue_scriptsaddons\popover\htmegavc-popover.php:16
actionvc_after_initaddons\pricing-table\htmegavc-pricing-table.php:10
actionwp_enqueue_scriptsaddons\pricing-table\htmegavc-pricing-table.php:16
actionvc_after_initaddons\progress-bar\hemegavc-progress-bar.php:9
actionwp_enqueue_scriptsaddons\progress-bar\hemegavc-progress-bar.php:15
actionvc_after_initaddons\section-title\htmegavc-section-title.php:10
actionwp_enqueue_scriptsaddons\section-title\htmegavc-section-title.php:16
actionvc_after_initaddons\slider-thumb-gallery\htmegavc-slider-thumb-gallery.php:10
actionwp_enqueue_scriptsaddons\slider-thumb-gallery\htmegavc-slider-thumb-gallery.php:16
actionvc_after_initaddons\team\hemegavc-team.php:10
actionwp_enqueue_scriptsaddons\team\hemegavc-team.php:16
actionvc_after_initaddons\testimonial\htmegavc-testimonial.php:10
actionwp_enqueue_scriptsaddons\testimonial\htmegavc-testimonial.php:16
actionvc_after_initaddons\tooltip\htmegavc-tooltip.php:10
actionwp_enqueue_scriptsaddons\tooltip\htmegavc-tooltip.php:16
actionvc_after_initaddons\vertical-timeline\htmegavc-vertical-timeline.php:10
actionwp_enqueue_scriptsaddons\vertical-timeline\htmegavc-vertical-timeline.php:16
actionvc_after_initaddons\video-player\htmegavc-video-player.php:10
actionwp_enqueue_scriptsaddons\video-player\htmegavc-video-player.php:16
actionadmin_enqueue_scriptsadmin\admin-init.php:8
actionadmin_initadmin\include\admin-setting.php:14
actionadmin_menuadmin\include\admin-setting.php:15
actionadmin_enqueue_scriptsadmin\include\class.settings-api.php:28
actionadmin_noticesinc\activation-notice.php:14
filtervc_font_container_get_fonts_filterinc\helper-functions.php:4
actioninitinc\helper-functions.php:11
actionwp_enqueue_scriptsinit.php:44
actioninitinit.php:47
Maintenance & Trust

HT Mega – Absolute Addons for WPBakery Page Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 4, 2025
PHP min version5.6
Downloads15K

Community Trust

Rating0/100
Number of ratings0
Active installs900
Alternatives

HT Mega – Absolute Addons for WPBakery Page Builder Alternatives

Mega Addons For WPBakery Page Builder

Mega Addons For WPBakery Page Builder

mega-addons-for-visual-composer

D
41

34+ Addons WPBakery extension, Beautifully designed unique elements, Includes Premium quality addons For WPBakery Page Builder.

30K 2 unpatched
WPBakery Page Builder Addons by Livemesh

WPBakery Page Builder Addons by Livemesh

addons-for-visual-composer

B
72

A collection of 25+ beautifully designed premium quality addons or extensions for WPBakery Page Builder.

20K 1 unpatched
Classic Addons – WPBakery Page Builder

Classic Addons – WPBakery Page Builder

classic-addons-wpbakery-page-builder-addons

A
96

15+ Beautiful and Powerful Addons for WPBakery Page Builder (Visual Composer)

3K 3 CVEs
Web and WooCommerce Addons for WPBakery Builder

Web and WooCommerce Addons for WPBakery Builder

vc-addons-by-bit14

D
44

Clean, responsive, well designed addons for WPBakery Page Builder with custom post type

1K 2 unpatched
ChargeWP Timeline Addons For WPBakery Page Builder

ChargeWP Timeline Addons For WPBakery Page Builder

chargewp-timeline-addons-for-wpbakery

A
100

Power your WPBakery Page Builder with well crafted timeline addons.

200 No CVEs
Developer Profile

HT Mega – Absolute Addons for WPBakery Page Builder Developer Profile

HT Plugins

25 plugins · 64K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
121 days
View full developer profile
Detection Fingerprints

How We Detect HT Mega – Absolute Addons for WPBakery Page Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ht-mega-for-wpbakery/assets/css/global.css/wp-content/plugins/ht-mega-for-wpbakery/libs/bootstrap/htbbootstrap.css/wp-content/plugins/ht-mega-for-wpbakery/libs/bootstrap/popper.min.js/wp-content/plugins/ht-mega-for-wpbakery/libs/bootstrap/htbbootstrap.js
Script Paths
/wp-content/plugins/ht-mega-for-wpbakery/libs/bootstrap/popper.min.js/wp-content/plugins/ht-mega-for-wpbakery/libs/bootstrap/htbbootstrap.js

HTML / DOM Fingerprints

CSS Classes
htmegavc-countdown-widgethtmegavc-button-widgethtmegavc-animated-heading-widgethtmegavc-blockquote-widgethtmegavc-brands-widgethtmegavc-business-hours-widgethtmegavc-call-to-action-widgethtmegavc-counter-widget+20 more
Data Attributes
data-htmegavc-countdowndata-htmegavc-buttondata-htmegavc-animated-headingdata-htmegavc-blockquotedata-htmegavc-brandsdata-htmegavc-business-hours+22 more
JS Globals
HTMEGAVC_URIHTMEGAVC_ASSETS_URIHTMEGAVC_LIBS_URIHTMEGAVC_DIRhtmegavc_get_option
Shortcode Output
[htmegavc_countdown[htmegavc_animated_heading[htmegavc_button[htmegavc_blockquote
FAQ

Frequently Asked Questions about HT Mega – Absolute Addons for WPBakery Page Builder