CVE-2026-4106

MEDIUM NUCLEI

HT Mega Addons for Elementor < 3.0.7 - Unauthenticated Personal Information Disclosure

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-4106. PoCs published by ef3tr. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-4106, targeting the HT Mega WordPress plugin. The exploit leverages unauthenticated AJAX endpoints to extract sensitive PII data, including customer names, billing addresses, and purchase details.

Description

The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII (such as full name, city, state and country) of customers who placed orders in the last 7 days

Exploits (1)

nomisec WORKING POC 1 stars

by ef3tr · poc

https://github.com/ef3tr/CVE-2026-4106

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-4106, targeting the HT Mega WordPress plugin. The exploit leverages unauthenticated AJAX endpoints to extract sensitive PII data, including customer names, billing addresses, and purchase details.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: HT Mega - Absolute Addons for Elementor (versions < 3.0.7)

No auth needed

Prerequisites: Target must have the vulnerable HT Mega plugin installed and accessible

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Apr 28, 2026 Full analysis →

Nuclei Templates (1)

HT Mega < 3.0.7 - Sensitive Information Disclosure

HIGHVERIFIEDby EFETR

References (1)

Core 1

Core References

Exploit exploit vdb-entry technical-description

https://wpscan.com/vulnerability/9477ead2-3990-4aae-8e66-09ee2f4daa3e/

Scores

CVSS v3 5.3

EPSS 0.0053

EPSS Percentile 67.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (1)

None/HT Mega Addons for Elementor < 3.0.7

Published Apr 23, 2026

Tracked Since Apr 23, 2026