WordPress Plugin Vulnerabilities

HT Mega < 2.3.4 - Arbitrary Plugin/Theme Activation via CSRF

Description

The plugin does not have CSRF checks in various functions in its admin/include/template-library.php file, which could allow attackers to make logged in admins activate plugins/themes via CSRF attacks

Affects Plugins

Plugin icon
ht-mega-for-elementor
Fixed in 2.3.4

References

CVE
CVE-2023-51529
URL
https://patchstack.com/database/vulnerability/ht-mega-for-elementor/wordpress-ht-mega-absolute-addons-for-elementor-plugin-2-3-3-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Brandon James Roldan (tomorrowisnew)
Verified
No
WPVDB ID
6c32cf90-f61e-426e-b8a3-df62f7331e7f

Timeline

Publicly Published
2023-12-27 (about 2 years ago)
Added
2024-01-05 (about 2 years ago)
Last Updated
2024-01-05 (about 2 years ago)

Other

Published
Title
Published
2025-02-03
Title
Fyrebox Quizzes <= 3.1 - Stored XSS via CSRF
Published
2024-11-28
Title
Mins To Read <= 1.2.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-11-17
Title
Top Friends <= 0.3 - Cross-Site Request Forgery to Settings Update
Published
2025-09-22
Title
BP Disable Activation Reloaded <= 1.2.1 - Cross-Site Request Forgery
Published
2023-09-20
Title
Inactive Logout < 3.2.3 - Cross-Site Request Forgery