The HT Mega Addons for Elementor WordPress plugin versions before 3.0.7 allow an attacker to trigger an unauthenticated AJAX action that returns personally identifiable information, such as full names, cities, states, and countries, of customers who placed orders within the last seven days. This privacy violation can expose sensitive user data without authorization and potentially lead to identity theft or phishing operations. The vulnerability is a classic information disclosure flaw (CWE‑200) and does not allow code execution or escalation of privileges.

WordPress sites that have the HT Mega Addons for Elementor plugin installed in a version earlier than 3.0.7. No other plugins or WordPress core components are directly impacted. The issue is limited to the plugin's AJAX endpoint and is not mitigated by default WordPress security settings. Users must verify that the plugin version in use meets the minimum required version to avoid exposure.

The CVSS score of 5.3 indicates a moderate severity, driven primarily by the availability of sensitive data. The EPSS score of less than 1% suggests the probability of exploitation is low, and the vulnerability is not present in the CISA KEV catalog. The likely attack vector is any unauthenticated user able to send a crafted AJAX request to the vulnerable endpoint, bypassing any login requirement. Because the data is limited to recent orders, the window of exploitation is narrow, but the severity of the privacy breach remains significant.