Unauthenticated Data Exposure in HT Mega Addons for Elementor Plugin
CVE-2026-4106

Currently unrated

Key Information:

Vendor: WordPress
Status: Ht Mega Addons For Elementor
Vendor: CVE Published:; 23 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-4106?

The HT Mega Addons for Elementor plugin prior to version 3.0.7 contains a vulnerability where an unauthenticated AJAX action exposes personally identifiable information (PII) of customers who have made orders within the last week. This includes sensitive information such as full names, city, state, and country, making it crucial for website administrators to update their plugins promptly to safeguard user data.

Affected Version(s)

HT Mega Addons for Elementor 0 < 3.0.7

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-4106 - Proof of Concept

References

https://wpscan.com/vulnerability/9477ead2-3990-4aae-8e66-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 23, 2026
👾
Exploit known to exist
Apr 23, 2026
Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Mar 13, 2026

Credit

Chiao-Lin Yu (Steven Meow)

WPScan

CVE-2026-4106 Data

JSON

WordPress