cbcvebase.
CVE-2023-37999
published 2024-05-17

CVE-2023-37999: Improper Privilege Management vulnerability in HasThemes HT Mega allows Privilege Escalation.This issue affects HT Mega: from n/a through 2.2.0.

PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.04%
85.9th percentile
Improper Privilege Management vulnerability in HasThemes HT Mega allows Privilege Escalation.This issue affects HT Mega: from n/a through 2.2.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
hasthemesht_mega< 2.2.12.2.1
hasthemesht_megan/a – 2.2.0

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action=htmega_ajax_register
path/wp-content/plugins/ht-mega-for-elementor
commandreg_name={{username}}&reg_password={{password}}&reg_email={{email}}&reg_role=administrator
  • Detect unauthenticated POST requests to the htmega_ajax_register AJAX action with reg_role=administrator in the body, indicating privilege escalation exploitation attempts.
  • A successful exploitation response contains the string 'Successfully Register' with HTTP 200, followed by a successful login to /wp-login.php yielding a 302 redirect with 'wordpress_logged_in' and '/wp-admin' in the Set-Cookie/Location headers.
  • Monitor for the presence of the reg_role parameter set to 'administrator' in POST bodies sent to admin-ajax.php, as the vulnerability stems from missing validation of this parameter in htmega_ajax_register.
  • Scan for WordPress sites with the HT Mega plugin installed by fingerprinting the path /wp-content/plugins/ht-mega-for-elementor.
  • ·The vulnerability affects HT Mega plugin versions up to and including 2.2.0 only; patched versions are not vulnerable.
  • ·The attack requires no authentication (unauthenticated), meaning no session cookie or nonce is needed, making it exploitable by any remote attacker against exposed WordPress instances.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.