HT Mega – Absolute Addons For Elementor
Moderate fix1 remedy
cpe:2.3:a:hasthemes:ht_mega:*:*:*:*:wordpress:*:*, +1 more
Moderate fix1 remedy
- <= 2.9.1
HT Mega WordPress Plugin Improper Authorization Vulnerability in Template Management
Vulnerability
Patched
A vulnerability exists in the HT Mega – Absolute Addons For Elementor WordPress plugin, all versions through 2.9.1. The issue stems from an improper capability check in the 'ajax_trash_templates' function, allowing authenticated attackers with Contributor-level access and above to delete arbitrary attachment files and move posts, pages, and templates to the Trash.
Impact
Exploitation of this vulnerability allows for unauthorized deletion of attachment files and manipulation of post, page, and template statuses, potentially leading to data loss.
Reproduction
To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can send a request to the 'ajax_trash_templates' AJAX endpoint. This request can include the IDs of the templates to be trashed. The absence of proper capability checks allows the user to delete templates that they may not have permission to manage.
Remediation
Users are advised to update the HT Mega – Absolute Addons For Elementor WordPress plugin to version 2.9.2 or later.
Added: Jul 31, 2025, 12:24 PM
Updated: Jul 31, 2025, 12:24 PM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
0.6exploitability
6.4remediation
7.7relevance
0.3threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.