CVE-2026-4106
published 2026-04-23CVE-2026-4106: The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII (such as full name, city, state and…
PriorityP337medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
0.74%
50.0th percentile
The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII (such as full name, city, state and country) of customers who placed orders in the last 7 days
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fjqg-327f-q6hw: The HT Mega Addons for Elementor WordPress plugin before 3
ghsa_unreviewed·2026-04-23
CVE-2026-4106 [MEDIUM] CWE-200 GHSA-fjqg-327f-q6hw: The HT Mega Addons for Elementor WordPress plugin before 3
The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII (such as full name, city, state and country) of customers who placed orders in the last 7 days
Citrix
Citrix Security Bulletin CTX206006
vendor_citrix·CVSS 4.6
CVE-2015-4106 [MEDIUM] Citrix Security Bulletin CTX206006
Citrix Security Bulletin CTX206006
CVE References: CVE-2015-4106, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
Citrix
Citrix Security Bulletin CTX201145
vendor_citrix·CVSS 4.6
CVE-2015-4106 [MEDIUM] Citrix Security Bulletin CTX201145
Citrix Security Bulletin CTX201145
CVE References: CVE-2015-4106, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
No detection rules found.
Nuclei
HT Mega < 3.0.7 - Sensitive Information Disclosure
nuclei·CVSS 7.5
CVE-2026-4106 HT Mega < 3.0.7 - Sensitive Information Disclosure
HT Mega < 3.0.7 - Sensitive Information Disclosure
The HT Mega plugin for WordPress is vulnerable to Sensitive Information Exposure via AJAX actions. This template dynamically extracts the security nonce before exploitation.
Template:
id: CVE-2026-4106
info:
name: HT Mega < 3.0.7 - Sensitive Information Disclosure
author: EFETR
severity: high
description: |
The HT Mega plugin for WordPress is vulnerable to Sensitive Information Exposure via AJAX actions. This template dynamically extracts the security nonce before exploitation.
reference:
- https://wpscan.com/vulnerability/9477ead2-3990-4aae-8e66-09ee2f4daa3e/
- https://nvd.nist.gov/vuln/detail/CVE-2026-4106
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2026-4106
metadata:
max-re
No writeups or analysis indexed.
2026-04-23
Published