CVE-2022-4501
HIGHMega Addons for WPBakery Page Builder <= 4.3.0 - Authenticated Authorization Bypass via vc_saving_data Function
Title source: llmDescription
The Mega Addons plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the vc_saving_data function in versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to update the plugin's settings.
References (3)
Core 3
Core References
Patch, Third Party Advisory
https://plugins.trac.wordpress.org/browser/mega-addons-for-visual-composer/tags/4.2.7/main.php#L87
Scores
CVSS v3
7.1
EPSS
0.0069
EPSS Percentile
48.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (2)
nasir179125/Mega Addons For WPBakery Page Builder
< 4.3.0
topdigitaltrends/mega_addons_for_wpbakery_page_builder
< 4.2.7
Published
Dec 14, 2022
Tracked Since
Feb 18, 2026