CVE-2024-4875 in HT Mega Plugin
Summary
by MITRE • 05/21/2024
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized modification of data|loss of data due to a missing capability check on the 'ajax_dismiss' function in versions up to, and including, 2.5.2. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to update options such as users_can_register, which can lead to unauthorized user registration.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/10/2026
The HT Mega – Absolute Addons For Elementor plugin presents a critical security vulnerability that undermines data integrity and system confidentiality through a fundamental flaw in its access control mechanisms. This vulnerability specifically affects versions up to and including 2.5.2, where the plugin fails to implement proper capability checks within its ajax_dismiss function. The absence of such validation creates an exploitable pathway that allows authenticated attackers with subscriber-level permissions or higher to manipulate core WordPress configuration options. The flaw resides in the plugin's failure to verify user permissions before executing data modification operations, directly violating established security principles that mandate proper authorization checks for all privileged actions.
The technical implementation of this vulnerability stems from the plugin's inadequate input validation and permission verification processes within its ajax_dismiss endpoint. When an authenticated user with subscriber privileges or higher makes a request to this function, the system does not properly validate whether the user possesses the necessary capabilities to modify sensitive WordPress options. This missing capability check creates a direct attack vector that enables privilege escalation through data manipulation. The vulnerability specifically allows attackers to modify the users_can_register option, which controls whether new users can register on the WordPress site. This configuration change represents a significant security risk as it directly impacts the site's user registration policies and can lead to unauthorized access through automated registration processes.
The operational impact of this vulnerability extends beyond simple data modification to encompass potential system compromise and unauthorized access escalation. Attackers who exploit this vulnerability can enable open user registration on vulnerable sites, allowing malicious actors to create accounts and potentially gain additional privileges. This modification can facilitate various downstream attacks including credential stuffing, spam registration, and social engineering campaigns that leverage the increased user base. The vulnerability also undermines the principle of least privilege by allowing users with minimal permissions to alter fundamental system configurations that should only be accessible to administrators or privileged users. This flaw creates opportunities for attackers to establish persistent access points and can significantly weaken the overall security posture of WordPress installations using the affected plugin.
Organizations and WordPress administrators should prioritize immediate mitigation of this vulnerability through plugin updates to versions that address the missing capability check. The recommended approach involves upgrading to the latest available version of the HT Mega plugin where the authorization flaw has been corrected. Additionally, administrators should implement network-level monitoring to detect unusual patterns in user registration activities that might indicate exploitation attempts. Security teams should also review user permissions and implement role-based access controls that limit the capabilities of lower-privilege accounts. The vulnerability aligns with CWE-284, which describes improper access control, and represents a clear violation of the principle of least privilege as defined in the NIST Cybersecurity Framework. From an ATT&CK perspective, this vulnerability maps to privilege escalation techniques and can enable further exploitation through the initial unauthorized configuration changes. Regular security audits and automated vulnerability scanning should be implemented to identify similar access control weaknesses in other plugins and themes that may present similar risks to system integrity and data confidentiality.