Description
Missing Authorization vulnerability in DevItems HT Mega ht-mega-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HT Mega: from n/a through <= 2.9.0.
Published: 2025-08-14
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a missing authorization flaw in the DevItems HT Mega plugin for WordPress, allowing attackers to exploit incorrectly configured access control security levels. The weakness is categorized as CWE‑862, indicating a failure to restrict access to privileged functions. As a result, an attacker who can reach the plugin’s functions can perform actions normally reserved for higher‑privileged users, potentially altering content or configuration settings without authorization.

Affected Systems

The affected product is DevItems HT Mega for Elementor. All releases from the inception of the plugin up through version 2.9.0 are vulnerable. WordPress sites that have this plugin installed and configured are therefore at risk.

Risk and Exploitability

The CVSS score of 5.4 places this vulnerability in the medium‑to‑high severity range. The EPSS score of less than 1 % suggests a low probability of exploitation at this time, and the issue is not listed in the CISA KEV catalog. Attackers would most likely reach the vulnerable functionality by accessing the plugin’s web interfaces on the site; an incorrect or missing authorization check would allow them to invoke privileged operations. The likely attack vector is inferred from the missing authorization check. While there is no specific mention of remote code execution or data exfiltration, the ability to perform unauthorized actions could lead to configuration changes, content tampering, or other integrity violations.

Generated by OpenCVE AI on May 1, 2026 at 06:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the HT Mega plugin to the latest version available from DevItems or the WordPress plugin repository; apply the update as soon as it addresses the broken access control flaw.
  • If an update is not immediately available, remove the HT Mega plugin from the WordPress site or disable all of its externally exposed endpoints to eliminate the vulnerable functionality.
  • Review and tighten role‑based access controls on the site, ensuring that only users with administrative privileges can trigger H Mega‑related actions.

Generated by OpenCVE AI on May 1, 2026 at 06:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24699 Missing Authorization vulnerability in HasTech HT Mega allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HT Mega: from n/a through 2.9.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in HasTech HT Mega allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HT Mega: from n/a through 2.9.0. Missing Authorization vulnerability in DevItems HT Mega ht-mega-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HT Mega: from n/a through <= 2.9.0.
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Thu, 14 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in HasTech HT Mega allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HT Mega: from n/a through 2.9.0.
Title WordPress HT Mega Plugin plugin <= 2.9.0 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:34.980Z

Reserved: 2025-07-28T10:55:57.300Z

Link: CVE-2025-54695

cve-icon Vulnrichment

Updated: 2025-08-14T14:17:16.545Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:51.040

Modified: 2026-04-23T15:32:50.450

Link: CVE-2025-54695

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:45:11Z

Weaknesses