CVE-2026-4106

MEDIUM NUCLEI

HT Mega < 3.0.7 – Unauthenticated PII Disclosure

Title source: cna

Description

The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII (such as full name, city, state and country) of customers who placed orders in the last 7 days

Nuclei Templates (1)

HT Mega < 3.0.7 - Sensitive Information Disclosure

HIGHVERIFIEDby EFETR

References (1)

[Exploit] https://wpscan.com/vulnerability/9477ead2-3990-4aae-8e66-09ee2f4daa3e/

Scores

CVSS v3 5.3

EPSS 0.0055

EPSS Percentile 67.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-200

Status published

Products (1)

None/HT Mega Addons for Elementor < 3.0.7

Published Apr 23, 2026

Tracked Since Apr 23, 2026