Primary

Context

HT Mega Addons for Elementor Unauthenticated PII Disclosure Vulnerability

Vulnerability

A vulnerability in the HT Mega Addons for Elementor WordPress plugin, affecting versions prior to 3.0.7, allows for the unauthenticated disclosure of personally identifiable information (PII). The vulnerability arises from an AJAX action that exposes PII, such as full names, cities, states, and countries, of customers who placed orders in the last seven days.

Impact

Exploitation of this vulnerability leads to the unauthorized exposure of sensitive customer information, including full names and location details.

Reproduction

To reproduce this vulnerability, access the source of any frontend page to find the 'wcsales_purchased_products' AJAX action. Retrieve the security nonce associated with this action, then send a request to 'wp-admin/admin-ajax.php' with the action and nonce included. This will trigger the PII disclosure.

Remediation

Users are advised to update the HT Mega Addons for Elementor WordPress plugin to version 3.0.7 or later.

Added: Apr 23, 2026, 7:19 AM

Updated: Apr 23, 2026, 7:19 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.7

remediation

0.0

relevance

6.2

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.7

remediation

0.0

relevance

6.2

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

HT Mega Addons for Elementor Unauthenticated PII Disclosure Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating