WordPress Plugin Vulnerabilities

HT Mega – Absolute Addons For Elementor < 2.4.7 - Contributor+ Directory Traversal

Description

The HT Mega – Absolute Addons For Elementor plugin is vulnerable to Directory Traversal via the render function. This makes it possible for authenticated attackers, with contributor access or higher, to read the contents of arbitrary files on the server, which can contain sensitive information.

Affects Plugins

Plugin icon
ht-mega-for-elementor
Fixed in 2.4.7

References

CVE
CVE-2024-1974
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/11b5f0a1-bf22-46be-a165-c62f1077da0f

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Webbernaut
Verified
No
WPVDB ID
9c12485e-881c-4719-bfb5-723ad95cf725

Timeline

Publicly Published
2024-03-14 (about 2 years ago)
Added
2024-03-18 (about 2 years ago)
Last Updated
2024-03-18 (about 2 years ago)

Other

Published
Title
Published
2026-01-16
Title
Post Slides <= 1.0.1 - Contributor+ Local File Inclusion
Published
2026-04-16
Title
Client Portal (Pro) < 5.6.3 - Authenticated (CP Client+) Arbitrary File Download
Published
2025-01-31
Title
Jupiterx Core < 4.8.8 - Authenticated (Contributor+) Arbitrary File Read
Published
2014-08-01
Title
DM Albums - Multiple Remote File Disclosure
Published
2025-09-30
Title
Taskbot < 6.5 - Authenticated (Subscriber+) Arbitrary File Deletion