Hasthemes Ht Mega vulnerabilities
30 known vulnerabilities affecting hasthemes/ht_mega.
Total CVEs
30
CISA KEV
0
Public exploits
1
Exploited in wild
2
Severity breakdown
CRITICAL1HIGH3MEDIUM26
Vulnerabilities
Page 1 of 2
CVE-2023-37999P1CRITICALCVSS 9.8ExploitedPoCfixed in 2.2.1≥ n/a, ≤ 2.2.02024-05-17
CVE-2023-37999 [CRITICAL] CWE-269 CVE-2023-37999: Improper Privilege Management vulnerability in HasThemes HT Mega allows Privilege Escalation.This is
Improper Privilege Management vulnerability in HasThemes HT Mega allows Privilege Escalation.This issue affects HT Mega: from n/a through 2.2.0.
nvd
CVE-2024-38706P2HIGHCVSS 8.8Exploitedfixed in 2.5.82024-07-12
CVE-2024-38706 [HIGH] CWE-35 CVE-2024-38706: Path Traversal: '.../...//' vulnerability in DevItems HT Mega ht-mega-for-elementor.This issue affec
Path Traversal: '.../...//' vulnerability in DevItems HT Mega ht-mega-for-elementor.This issue affects HT Mega: from n/a through <= 2.5.7.
nvd
CVE-2023-6214P3HIGHCVSS 7.5fixed in 2.4.72024-05-02
CVE-2023-6214 [HIGH] CWE-200 CVE-2023-6214: The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Sensitive Informat
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.6 via the purchased_products function. This makes it possible for unauthenticatied attackers to extract sensitive data including the previous 7 days of order data including products and customer PII.
nvd
CVE-2023-51529P3HIGHCVSS 8.8fixed in 2.3.42024-02-29
CVE-2023-51529 [HIGH] CWE-352 CVE-2023-51529: Cross-Site Request Forgery (CSRF) vulnerability in HasThemes HT Mega – Absolute Addons For Elementor
Cross-Site Request Forgery (CSRF) vulnerability in HasThemes HT Mega – Absolute Addons For Elementor.This issue affects HT Mega – Absolute Addons For Elementor: from n/a through 2.3.3.
nvd
CVE-2024-1974P3MEDIUMCVSS 6.5fixed in 2.4.72024-04-09
CVE-2024-1974 [MEDIUM] CWE-22 CVE-2024-1974: The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Directory Traversa
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.4.6 via the render function. This makes it possible for authenticated attackers, with contributor access or higher, to read the contents of arbitrary files on the server, which can contain sensitive information.
nvd
CVE-2024-32782P4MEDIUMCVSS 6.5fixed in 2.4.82024-04-24
CVE-2024-32782 [MEDIUM] CWE-201 CVE-2024-32782: Insertion of Sensitive Information Into Sent Data vulnerability in DevItems HT Mega ht-mega-for-elem
Insertion of Sensitive Information Into Sent Data vulnerability in DevItems HT Mega ht-mega-for-elementor.This issue affects HT Mega: from n/a through <= 2.4.7.
nvd
CVE-2021-24261P4MEDIUMCVSS 5.4fixed in 1.5.72021-05-05
CVE-2021-24261 [MEDIUM] CWE-79 CVE-2021-24261: The “HT Mega – Absolute Addons for Elementor Page Builder” WordPress Plugin before 1.5.7 has several
The “HT Mega – Absolute Addons for Elementor Page Builder” WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
nvd
CVE-2025-8068P4MEDIUMCVSS 4.3fixed in 2.9.22025-07-31
CVE-2025-8068 [MEDIUM] CWE-863 CVE-2025-8068: The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized modif
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to an improper capability check on the 'ajax_trash_templates' function in all versions up to, and including, 2.9.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbit
nvd
CVE-2024-5215P4MEDIUMCVSS 5.4fixed in 2.5.62024-06-26
CVE-2024-5215 [MEDIUM] CWE-79 CVE-2024-5215: The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 2.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above,
nvd
CVE-2025-1261P4MEDIUMCVSS 5.4≤ 2.8.22025-03-08
CVE-2025-1261 [MEDIUM] CVE-2025-1261: The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to DOM-Based Stored C
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level
nvd
CVE-2024-12599P4MEDIUMCVSS 6.1≤ 2.8.12025-02-11
CVE-2024-12599 [MEDIUM] CWE-79 CVE-2024-12599: The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 2.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level ac
nvd
CVE-2024-1397P4MEDIUMCVSS 5.4fixed in 2.4.72024-03-12
CVE-2024-1397 [MEDIUM] CWE-79 CVE-2024-1397: The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocks in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping on the 'titleTag' user supplied attributes. This makes it possible for authenticated attackers with contributor-level
nvd
CVE-2024-3990P4MEDIUMCVSS 5.4fixed in 2.5.12024-05-14
CVE-2024-3990 [MEDIUM] CWE-79 CVE-2024-3990: The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Tooltip & Popover Widget in all versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level acces
nvd
CVE-2024-3308P4MEDIUMCVSS 5.4fixed in 2.5.02024-05-02
CVE-2024-3308 [MEDIUM] CWE-79 CVE-2024-3308: The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Grid widget's attributes in all versions up to, and including, 2.4.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbit
nvd
CVE-2024-4876P4MEDIUMCVSS 5.4fixed in 2.5.32024-05-21
CVE-2024-4876 [MEDIUM] CWE-79 CVE-2024-4876: The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘popover_header_text’ parameter in versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inje
nvd
CVE-2024-3989P4MEDIUMCVSS 5.4fixed in 2.5.12024-05-14
CVE-2024-3989 [MEDIUM] CWE-79 CVE-2024-3989: The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Gallery Justify Widget in all versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-leve
nvd
CVE-2024-2790P4MEDIUMCVSS 5.4fixed in 2.4.92024-05-02
CVE-2024-2790 [MEDIUM] CWE-79 CVE-2024-2790: The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Accordion widget in all versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above,
nvd
CVE-2024-3307P4MEDIUMCVSS 5.4fixed in 2.5.02024-05-02
CVE-2024-3307 [MEDIUM] CWE-79 CVE-2024-3307: The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown widget's attributes in all versions up to, and including, 2.4.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitra
nvd
CVE-2024-2085P4MEDIUMCVSS 5.4fixed in 2.4.72024-05-02
CVE-2024-2085 [MEDIUM] CWE-79 CVE-2024-2085: The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'size' value in several widgets all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level an
nvd
CVE-2024-2084P4MEDIUMCVSS 5.4fixed in 2.4.72024-05-02
CVE-2024-2084 [MEDIUM] CWE-79 CVE-2024-2084: The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's lightbox widget in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and ab
nvd
1 / 2Next →