HT Mega < 3.0.7 - Sensitive Information Disclosure

The HT Mega plugin for WordPress is vulnerable to Sensitive Information Exposure via AJAX actions. This template dynamically extracts the security nonce before exploitation. id: CVE-2026-4106 info: name: HT Mega 3.0.7 - Sensitive Information Disclosure author: EFETR severity: high description: |...

HT Mega – Absolute Addons for Elementor <= 2.2.0 - Missing Authorization to Privilege Escalation

The HT Mega plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.2.0. This is due to missing validation of the regrole parameter on the htmegaajaxregister function. This makes it possible for unauthenticated attackers to create administrator accounts. id...

WordPress HT Mega plugin < 3.0.7 - Unauthenticated PII Disclosure vulnerability

Unauthenticated PII Disclosure vulnerability discovered by Chiao-Lin Yu Steven Meow in WordPress Plugin HT Mega versions 3.0.7...

CVE-2026-4106 HT Mega < 3.0.7 – Unauthenticated PII Disclosure

The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII such as full name, city, state and country of customers who placed orders in the last 7 days...

CVE-2026-4106

The HT Mega Addons for Elementor WordPress plugin is affected by CVE-2026-4106, with versions before 3.0.7 exposing an unauthenticated AJAX action that returns PII (e.g., full name, city, state, country) for customers who placed orders in the last 7 days. Impact is information disclosure of custo...

CVE-2026-4106

The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII such as full name, city, state and country of customers who placed orders in the last 7 days...

CVE-2026-4106 HT Mega < 3.0.7 – Unauthenticated PII Disclosure

The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII such as full name, city, state and country of customers who placed orders in the last 7 days...

WordPress plugin HT Mega Addons for Elementor 信息泄露漏洞

WordPress is a blog platform developed using the PHP language by the WordPress Foundation. This platform allows users to create personal blogs on servers based on PHP and MySQL. WordPress Plugins are application plugins developed by the WordPress Foundation. The WordPress plugin HT Mega Addons fo...

PT-2026-32365

🚨 CVE-2026-4106 - high 🚨 HT Mega 3.0.7 - Sensitive Information Disclosure The HT Mega plugin for WordPress is vulnerable to Sensitive Information Exposure via ... 👾 https://t.co/E28AtYPWG9 @pdnuclei NucleiTemplates cve...

WordPress HT Mega - Absolute Addons For Elementor plugin <= 2.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Lightbox Widget vulnerability

WordPress HT Mega - Absolute Addons For Elementor plugin = 2.4.6 - Authenticated Contributor+ Stored Cross-Site Scripting via Lightbox Widget vulnerability discovered by wesley wcraft in WordPress Plugin HT Mega versions = 2.4.6...

WordPress HT Mega - Absolute Addons For Elementor plugin <= 2.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Grid Widget vulnerability

WordPress HT Mega - Absolute Addons For Elementor plugin = 2.4.9 - Authenticated Contributor+ Stored Cross-Site Scripting via Image Grid Widget vulnerability discovered by João Pedro Soares de Alcântara - Kinorth in WordPress Plugin HT Mega versions = 2.4.9...

WordPress HT Mega plugin <= 2.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Justify vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Gallery Justify vulnerability discovered by Ngô Thiên An ancorn in WordPress Plugin HT Mega versions = 2.5.0...

WordPress HT Mega - Absolute Addons For Elementor plugin <= 2.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Video Player Widget Settings vulnerability

WordPress HT Mega - Absolute Addons For Elementor plugin = 2.5.5 - Authenticated Contributor+ Stored Cross-Site Scripting via Video Player Widget Settings vulnerability discovered by João Pedro Soares de Alcântara - Kinorth in WordPress Plugin HT Mega versions = 2.5.5...

CVE-2023-50901

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in HasThemes HT Mega – Absolute Addons For Elementor allows Reflected XSS.This issue affects HT Mega – Absolute Addons For Elementor: from n/a through 2.3.8...

CVE-2025-1261

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes ...

CVE-2024-2084

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's lightbox widget in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

CVE-2024-2790

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Accordion widget in all versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

WordPress HT Mega plugin cross-site scripting vulnerability

WordPress HT Mega plugin is an Elementor page builder plugin designed for WordPress websites. The WordPress HT Mega plugin suffers from a cross-site scripting vulnerability that stems from insufficient validation of user-supplied HTML tag name input, which can be exploited by an attacker to execu...

CVE-2025-13141

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Gutenberg blocks in all versions up to, and including, 3.0.0 due to insufficient input validation on user-supplied HTML tag names. This is due to the lack of a tag name...

CVE-2025-13141 HT Mega – Absolute Addons For Elementor <= 3.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Tag Attribute Injection

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Gutenberg blocks in all versions up to, and including, 3.0.0 due to insufficient input validation on user-supplied HTML tag names. This is due to the lack of a tag name...