CVE-2026-4106 PUBLISHED

HT Mega < 3.0.7 – Unauthenticated PII Disclosure

Assigner: WPScan
Reserved: 13.03.2026 Published: 23.04.2026 Updated: 23.04.2026

The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII (such as full name, city, state and country) of customers who placed orders in the last 7 days

Product Status

Vendor	Unknown
Product	HT Mega Addons for Elementor
Versions	Default: unaffected affected from 0 to 3.0.7 (excl.)

Credits

Chiao-Lin Yu (Steven Meow) finder
WPScan coordinator

References

https://wpscan.com/vulnerability/9477ead2-3990-4aae-8e66-09ee2f4daa3e/

Problem Types

CWE-200 Information Exposure CWE