{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8068", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-22T23:11:56.008Z", "datePublished": "2025-07-31T11:19:13.164Z", "dateUpdated": "2026-04-08T17:27:13.733Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:27:13.733Z"}, "affected": [{"vendor": "devitemsllc", "product": "HT Mega Addons for Elementor \u2013 Elementor Widgets & Template Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.9.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The HT Mega \u2013 Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to an improper capability check on the 'ajax_trash_templates' function in all versions up to, and including, 2.9.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary attachment files, and move arbitrary posts, pages, and templates to the Trash."}], "title": "HT Mega \u2013 Absolute Addons For Elementor <= 2.9.1 - Improper Authorization to Authenticated (Contributor+) Limited Administrator Actions", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d9cf6dae-572f-4eaa-8e8a-bca9e74fe738?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/tags/2.9.0/admin/include/class.theme-builder.php#L625"}, {"url": "https://plugins.trac.wordpress.org/changeset/3336533/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-863 Incorrect Authorization", "cweId": "CWE-863", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "timeline": [{"time": "2025-07-22T23:48:56.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-07-30T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-31T13:40:30.757795Z", "id": "CVE-2025-8068", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-31T13:41:25.600Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8068", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-31T13:40:30.757795Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-31T13:41:14.876Z"}}], "cna": {"title": "HT Mega \u2013 Absolute Addons For Elementor <= 2.9.1 - Improper Authorization to Authenticated (Contributor+) Limited Administrator Actions", "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "devitemsllc", "product": "HT Mega Addons for Elementor \u2013 Elementor Widgets & Template Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.9.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-22T23:48:56.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-07-30T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d9cf6dae-572f-4eaa-8e8a-bca9e74fe738?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/tags/2.9.0/admin/include/class.theme-builder.php#L625"}, {"url": "https://plugins.trac.wordpress.org/changeset/3336533/"}], "descriptions": [{"lang": "en", "value": "The HT Mega \u2013 Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to an improper capability check on the 'ajax_trash_templates' function in all versions up to, and including, 2.9.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary attachment files, and move arbitrary posts, pages, and templates to the Trash."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:27:13.733Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8068", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:27:13.733Z", "dateReserved": "2025-07-22T23:11:56.008Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-31T11:19:13.164Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hasthemes:ht_mega:*:*:*:*:free:wordpress:*:*", "matchCriteriaId": "579E7169-A399-45BE-9960-2BB08F593963", "versionEndExcluding": "2.9.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The HT Mega \u2013 Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to an improper capability check on the 'ajax_trash_templates' function in all versions up to, and including, 2.9.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary attachment files, and move arbitrary posts, pages, and templates to the Trash."}, {"lang": "es", "value": "El complemento HT Mega \u2013 Absolute Addons para Elementor para WordPress es vulnerable a modificaciones no autorizadas y p\u00e9rdida de datos debido a una comprobaci\u00f3n incorrecta de la funci\u00f3n 'ajax_trash_templates' en todas las versiones hasta la 2.9.1 incluida. Esto permite a atacantes autenticados, con acceso de colaborador o superior, eliminar archivos adjuntos arbitrarios y mover entradas, p\u00e1ginas y plantillas arbitrarias a la papelera."}], "id": "CVE-2025-8068", "lastModified": "2025-08-13T19:32:40.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-07-31T12:15:26.637", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/tags/2.9.0/admin/include/class.theme-builder.php#L625"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3336533/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d9cf6dae-572f-4eaa-8e8a-bca9e74fe738?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:05:09.864501+00:00", "value": {"mitigation_remediation": ["Upgrade the HT Mega \u2013 Absolute Addons For Elementor plugin to the latest available release to apply the vendor fix.", "If an upgrade cannot be made immediately, disable or remove the plugin to prevent unintended deletions.", "Limit Contributor-level permissions to prevent attachment deletion or post management, possibly using a role management plugin.", "Monitor logs for unexpected trash operations and audit deletion events to detect misuse."], "summary": {"action": "Apply Patch", "impact": "Improper Authorization leading to data deletion"}, "threat_synthesis": {"affected_systems": "All installations of the HT Mega \u2013 Absolute Addons For Elementor WordPress plugin provided by devitemsllc, specifically versions 2.9.1 and earlier. The plugin is distributed for free and appears in the WordPress repository under the name HT Mega. Users who have not updated beyond version 2.9.1 are vulnerable.", "description_and_impact": "The HT Mega \u2013 Absolute Addons For Elementor plugin for WordPress contains an improper authorization check on the 'ajax_trash_templates' function in all versions up to and including 2.9.1. This flaw allows authenticated attackers with Contributor-level access or higher to delete arbitrary attachment files and move arbitrary posts, pages, and templates to the Trash without proper permission verification. The consequence is loss of content and potential disruption of website functionality, affecting the integrity of data within the site.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a medium severity vulnerability, while the EPSS of less than 1% indicates a very low probability of exploitation in the wild. The flaw is not currently listed in the CISA KEV catalog. Attackers must authenticate to the WordPress site with at least Contributor privileges to exploit this weakness. The likely attack vector is a web request to the AJAX endpoint 'ajax_trash_templates', where the plugin fails to verify the requesting user\u2019s capability properly. Because the vulnerability requires legitimate site access, detection may rely on monitoring for unexpected content deletions, but should be mitigated by applying a patch or disabling the affected functionality."}}}}, "created": "2025-07-31T20:37:52.576842+00:00", "updated": "2026-04-20T22:15:06.185875+00:00", "vendors": ["elementor", "elementor$PRODUCT$elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}