WordPress Plugin Vulnerabilities

HT Mega < 3.0.7 – Unauthenticated PII Disclosure

Description

The plugin contains an unauthenticated AJAX action returning some PII (such as full name, city, state and country) of customers who placed orders in the last 7 days

Proof of Concept

Affects Plugins

Plugin icon
ht-mega-for-elementor
Fixed in 3.0.7

References

CVE
CVE-2026-4106

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Chiao-Lin Yu (Steven Meow)
Submitter
Chiao-Lin Yu (Steven Meow)
Submitter website
https://www.linkedin.com/in/chiao-lin-yu-195533170/
Verified
Yes
WPVDB ID
9477ead2-3990-4aae-8e66-09ee2f4daa3e

Timeline

Publicly Published
2026-04-02 (about 12 days ago)
Added
2026-04-02 (about 12 days ago)
Last Updated
2026-04-02 (about 12 days ago)

Other

Published
Title
Published
2024-03-18
Title
WP Go Maps < 9.0.35 - Information Exposure to Potential Denial of Service
Published
2025-04-16
Title
Church Admin < 5.0.10 - Unauthenticated Information Disclosure
Published
2025-11-05
Title
Hotel Booking < 2.2.8 - Unauthenticated Information Exposure
Published
2025-12-01
Title
Zigaform < 7.6.7 - Unauthenticated Form Submission Data Disclosure in rocket_front_payment_seesummary AJAX Endpoint
Published
2024-01-15
Title
FastDup – Fastest WordPress Migration & Duplicator < 2.2 - Directory Listing to Account Takeover and Sensitive Data Exposure