Description
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to an improper capability check on the 'ajax_trash_templates' function in all versions up to, and including, 2.9.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary attachment files, and move arbitrary posts, pages, and templates to the Trash.
Published: 2025-07-31
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper Authorization leading to data deletion
Action: Apply Patch
AI Analysis

Impact

The HT Mega – Absolute Addons For Elementor plugin for WordPress contains an improper authorization check on the 'ajax_trash_templates' function in all versions up to and including 2.9.1. This flaw allows authenticated attackers with Contributor-level access or higher to delete arbitrary attachment files and move arbitrary posts, pages, and templates to the Trash without proper permission verification. The consequence is loss of content and potential disruption of website functionality, affecting the integrity of data within the site.

Affected Systems

All installations of the HT Mega – Absolute Addons For Elementor WordPress plugin provided by devitemsllc, specifically versions 2.9.1 and earlier. The plugin is distributed for free and appears in the WordPress repository under the name HT Mega. Users who have not updated beyond version 2.9.1 are vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates a medium severity vulnerability, while the EPSS of less than 1% indicates a very low probability of exploitation in the wild. The flaw is not currently listed in the CISA KEV catalog. Attackers must authenticate to the WordPress site with at least Contributor privileges to exploit this weakness. The likely attack vector is a web request to the AJAX endpoint 'ajax_trash_templates', where the plugin fails to verify the requesting user’s capability properly. Because the vulnerability requires legitimate site access, detection may rely on monitoring for unexpected content deletions, but should be mitigated by applying a patch or disabling the affected functionality.

Generated by OpenCVE AI on April 20, 2026 at 22:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the HT Mega – Absolute Addons For Elementor plugin to the latest available release to apply the vendor fix.
  • If an upgrade cannot be made immediately, disable or remove the plugin to prevent unintended deletions.
  • Limit Contributor-level permissions to prevent attachment deletion or post management, possibly using a role management plugin.
  • Monitor logs for unexpected trash operations and audit deletion events to detect misuse.

Generated by OpenCVE AI on April 20, 2026 at 22:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23262 The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to an improper capability check on the 'ajax_trash_templates' function in all versions up to, and including, 2.9.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary attachment files, and move arbitrary posts, pages, and templates to the Trash.
History

Wed, 13 Aug 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Hasthemes
Hasthemes ht Mega
CPEs cpe:2.3:a:hasthemes:ht_mega:*:*:*:*:free:wordpress:*:*
Vendors & Products Hasthemes
Hasthemes ht Mega

Thu, 31 Jul 2025 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor elementor
Wordpress
Wordpress wordpress
Vendors & Products Elementor
Elementor elementor
Wordpress
Wordpress wordpress

Thu, 31 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 31 Jul 2025 11:30:00 +0000

Type Values Removed Values Added
Description The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to an improper capability check on the 'ajax_trash_templates' function in all versions up to, and including, 2.9.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary attachment files, and move arbitrary posts, pages, and templates to the Trash.
Title HT Mega – Absolute Addons For Elementor <= 2.9.1 - Improper Authorization to Authenticated (Contributor+) Limited Administrator Actions
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Elementor Elementor
Hasthemes Ht Mega
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:27:13.733Z

Reserved: 2025-07-22T23:11:56.008Z

Link: CVE-2025-8068

cve-icon Vulnrichment

Updated: 2025-07-31T13:41:14.876Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-31T12:15:26.637

Modified: 2025-08-13T19:32:40.243

Link: CVE-2025-8068

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:15:06Z

Weaknesses