{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4106", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-03-13T09:10:56.371Z", "datePublished": "2026-04-23T06:00:06.084Z", "dateUpdated": "2026-04-23T15:29:25.910Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-23T06:00:06.084Z"}, "title": "HT Mega < 3.0.7 \u2013 Unauthenticated PII Disclosure", "problemTypes": [{"descriptions": [{"description": "CWE-200 Information Exposure", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "HT Mega Addons for Elementor", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "3.0.7"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII (such as full name, city, state and country) of customers who placed orders in the last 7 days"}], "references": [{"url": "https://wpscan.com/vulnerability/9477ead2-3990-4aae-8e66-09ee2f4daa3e/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Chiao-Lin Yu (Steven Meow)", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-200", "lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T14:01:07.027232Z", "id": "CVE-2026-4106", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T15:29:25.910Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4106", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-23T14:01:07.027232Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T14:01:22.480Z"}}], "cna": {"title": "HT Mega < 3.0.7 \u2013 Unauthenticated PII Disclosure", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Chiao-Lin Yu (Steven Meow)"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "HT Mega Addons for Elementor", "versions": [{"status": "affected", "version": "0", "lessThan": "3.0.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wpscan.com/vulnerability/9477ead2-3990-4aae-8e66-09ee2f4daa3e/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII (such as full name, city, state and country) of customers who placed orders in the last 7 days"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-200 Information Exposure"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-23T06:00:06.084Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4106", "state": "PUBLISHED", "dateUpdated": "2026-04-23T15:29:25.910Z", "dateReserved": "2026-03-13T09:10:56.371Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-04-23T06:00:06.084Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII (such as full name, city, state and country) of customers who placed orders in the last 7 days"}], "id": "CVE-2026-4106", "lastModified": "2026-04-23T18:16:30.063", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-23T07:16:41.210", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/9477ead2-3990-4aae-8e66-09ee2f4daa3e/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.0.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "HT Mega Addons for Elementor", "source": "cna", "vendor": "Unknown"}, "product": "ht_mega_addons_for_elementor", "vendor": "ht_mega_addons"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T14:58:43.696513+00:00", "value": {"mitigation_remediation": ["Upgrade HT Mega Addons for Elementor to version 3.0.7 or later.", "If an upgrade is not immediately possible, disable the vulnerable AJAX action by removing its hook or restricting it to authenticated users via custom code or plugin settings.", "Audit recent customer records for any exposed data and notify affected individuals as required by privacy regulations."], "summary": {"action": "Update Plugin", "impact": "PII Disclosure"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the HT Mega Addons for Elementor plugin installed in a version earlier than 3.0.7. No other plugins or WordPress core components are directly impacted. The issue is limited to the plugin's AJAX endpoint and is not mitigated by default WordPress security settings. Users must verify that the plugin version in use meets the minimum required version to avoid exposure.", "description_and_impact": "The HT Mega Addons for Elementor WordPress plugin versions before 3.0.7 allow an attacker to trigger an unauthenticated AJAX action that returns personally identifiable information, such as full names, cities, states, and countries, of customers who placed orders within the last seven days. This privacy violation can expose sensitive user data without authorization and potentially lead to identity theft or phishing operations. The vulnerability is a classic information disclosure flaw (CWE\u2011200) and does not allow code execution or escalation of privileges.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity, driven primarily by the availability of sensitive data. The EPSS score of less than 1% suggests the probability of exploitation is low, and the vulnerability is not present in the CISA KEV catalog. The likely attack vector is any unauthenticated user able to send a crafted AJAX request to the vulnerable endpoint, bypassing any login requirement. Because the data is limited to recent orders, the window of exploitation is narrow, but the severity of the privacy breach remains significant."}}}}, "created": "2026-04-28T09:26:21.390311+00:00", "updated": "2026-04-28T15:00:14.542854+00:00", "vendors": ["ht_mega_addons", "ht_mega_addons$PRODUCT$ht_mega_addons_for_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}