CVE-2026-4106

Vulnerability

Details

The HT Mega Addons for Elementor WordPress plugin, versions prior to 3.0.7, contains an unauthenticated AJAX action that returns personally identifiable information (PII) of customers who placed orders in the last 7 days. The exposed data includes full name, city, state, and country [1]. This is a sensitive data disclosure vulnerability that does not require any authentication to exploit.

Exploitation

An attacker can trigger the vulnerable AJAX endpoint without any authentication or special privileges. The endpoint is accessible to any visitor to the site, allowing them to retrieve the PII of recent customers simply by sending a crafted request [1]. No prior knowledge or access is needed.

Impact

Successful exploitation allows an attacker to obtain the full names and location details (city, state, country) of customers who have placed orders recently. This information can be used for targeted phishing campaigns, social engineering, or other malicious activities that rely on personal data [1].

Mitigation

The vulnerability has been fixed in version 3.0.7 of the HT Mega Addons plugin. Users are strongly advised to update to the latest version immediately. No workaround is available [1].