Home

Description

The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII (such as full name, city, state and country) of customers who placed orders in the last 7 days

PUBLISHED Reserved 2026-03-13 | Published 2026-04-23 | Updated 2026-04-23 | Assigner WPScan

Problem types

CWE-200 Information Exposure

Product status

Default status
unaffected

Any version before 3.0.7
affected

Credits

Chiao-Lin Yu (Steven Meow) finder

WPScan coordinator

References

wpscan.com/...rability/9477ead2-3990-4aae-8e66-09ee2f4daa3e/ exploit vdb-entry technical-description

cve.org (CVE-2026-4106)

nvd.nist.gov (CVE-2026-4106)

Download JSON