Ghostwire
Home / Vulnerabilities / CVE-2026-4106

CVE-2026-4106: The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some...

MEDIUM CVSS 0.0 Exploit Available 1 PoC

Published: April 23, 2026 | Last Modified: April 23, 2026

Description

The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII (such as full name, city, state and country) of customers who placed orders in the last 7 days

Ghostwire Analysis — What This Means Practically

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Proof-of-Concept Exploits (1)

Security Coverage (12 articles)

CVE Feed
CVE-2026-4106 - HT Mega < 3.0.7 – Unauthenticated PII Disclosure
 CVE Feed
CVE-2026-41064 - AVideo has an incomplete fix for CVE-2026-33502 (Command Injection)
 Tenable CVEs
CVE-2026-41064
 CVE Feed
CVE-2026-41063 - WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS)
 CVE Feed
CVE-2026-41062 - WWBN/AVideo has an incomplete fix for a directory traversal bypass via query string in ReceiveImage downloadURL parameters
 CVE Feed
CVE-2026-41060 - AVideo's SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL
 Tenable CVEs
CVE-2026-41062
 Tenable CVEs
CVE-2026-41061
 Tenable CVEs
CVE-2026-41060
 Tenable CVEs
CVE-2026-41063
 Tenable CVEs
CVE-2026-41067
 Tenable CVEs
CVE-2026-41066

References