WordPress Plugin Vulnerabilities

HT Mega – Absolute Addons For Elementor < 2.4.8 - Missing Authorization to Information Exposure

Description

The HT Mega plugin for WordPress is vulnerable to unauthorized access of data due to an insufficient capability check on the duplicate() function in all versions up to, and including, 2.4.7. This makes it possible for authenticated attackers, with contributor-level access and above, to duplicate arbitrary posts that may contain sensitive information.

Affects Plugins

Plugin icon
ht-mega-for-elementor
Fixed in 2.4.8

References

CVE
CVE-2024-32782
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/249ad768-3706-47c6-ad1d-f11900b87608

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Khalid
Verified
No
WPVDB ID
3486a7c3-e2a7-4729-936d-02582ed01080

Timeline

Publicly Published
2024-04-22 (about 2 years ago)
Added
2024-05-03 (about 2 years ago)
Last Updated
2024-05-03 (about 2 years ago)

Other

Published
Title
Published
2025-05-16
Title
Spotlight - Social Media Feeds (Premium) < 1.7.2 - Unauthenticated Information Exposure
Published
2020-09-21
Title
JobMonster < 4.6.6.1 - Directory Listing in Upload Folder
Published
2026-01-08
Title
NextGEN Download Gallery <= 1.6.2 - Unauthenticated Information Exposure
Published
2025-12-08
Title
AI CoPilot < 1.2.8 - Authenticated (Contributor+) Sensitive Information Exposure
Published
2025-03-07
Title
WP-Recall – Registration, Profile, Commerce & More < 16.26.12 - Authenticated (Contributor+) Protected Post Disclosure