cbcvebase.
CVE-2025-8068
published 2025-07-31

CVE-2025-8068: The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to an improper capability…

PriorityP425medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.28%
19.7th percentile
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to an improper capability check on the 'ajax_trash_templates' function in all versions up to, and including, 2.9.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary attachment files, and move arbitrary posts, pages, and templates to the Trash.

Affected

2 ranges
VendorProductVersion rangeFixed in
devitemsllcht_mega_addons_for_elementor_elementor_widgets_template_builder<= 2.9.1
hasthemesht_mega< 2.9.22.9.2

CVSS provenance

nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
cisa5.1MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.