{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8401", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-30T22:55:56.638Z", "datePublished": "2025-07-31T11:19:12.771Z", "dateUpdated": "2026-04-08T17:10:01.120Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:01.120Z"}, "affected": [{"vendor": "devitemsllc", "product": "HT Mega Addons for Elementor \u2013 Elementor Widgets & Template Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.9.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The HT Mega \u2013 Absolute Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.1 via the 'get_post_data' function. This makes it possible for authenticated attackers, with Author-level access and above, to extract sensitive data including the content of private, password-protected, and draft posts and pages."}], "title": "HT Mega \u2013 Absolute Addons For Elementor <= 2.9.1 - Authenticated (Author+) Sensitive Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9540b339-3386-4ee8-8141-acb9f3d83772?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/tags/2.9.1/htmega-blocks/includes/classes/Manage_Styles.php#L99"}, {"url": "https://plugins.trac.wordpress.org/changeset/3336533/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-285 Improper Authorization", "cweId": "CWE-285", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "timeline": [{"time": "2025-07-24T23:25:34.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-07-30T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-31T14:07:05.907615Z", "id": "CVE-2025-8401", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-31T14:09:28.317Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8401", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-31T14:07:05.907615Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-31T14:09:23.759Z"}}], "cna": {"title": "HT Mega \u2013 Absolute Addons For Elementor <= 2.9.1 - Authenticated (Author+) Sensitive Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "devitemsllc", "product": "HT Mega \u2013 Absolute Addons For Elementor", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.9.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-24T23:25:34.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-07-30T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9540b339-3386-4ee8-8141-acb9f3d83772?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/tags/2.9.1/htmega-blocks/includes/classes/Manage_Styles.php#L99"}, {"url": "https://plugins.trac.wordpress.org/changeset/3336533/"}], "descriptions": [{"lang": "en", "value": "The HT Mega \u2013 Absolute Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.1 via the 'get_post_data' function. This makes it possible for authenticated attackers, with Author-level access and above, to extract sensitive data including the content of private, password-protected, and draft posts and pages."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285 Improper Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-07-31T11:19:12.771Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8401", "state": "PUBLISHED", "dateUpdated": "2025-07-31T14:09:28.317Z", "dateReserved": "2025-07-30T22:55:56.638Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-31T11:19:12.771Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hasthemes:ht_mega:*:*:*:*:free:wordpress:*:*", "matchCriteriaId": "579E7169-A399-45BE-9960-2BB08F593963", "versionEndExcluding": "2.9.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The HT Mega \u2013 Absolute Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.1 via the 'get_post_data' function. This makes it possible for authenticated attackers, with Author-level access and above, to extract sensitive data including the content of private, password-protected, and draft posts and pages."}, {"lang": "es", "value": "El complemento HT Mega \u2013 Absolute Addons para Elementor para WordPress es vulnerable a la exposici\u00f3n de informaci\u00f3n confidencial en todas las versiones hasta la 2.9.1 incluida, a trav\u00e9s de la funci\u00f3n 'get_post_data'. Esto permite a atacantes autenticados, con acceso de autor o superior, extraer datos confidenciales, incluyendo el contenido de entradas y p\u00e1ginas privadas, protegidas con contrase\u00f1a y en borrador."}], "id": "CVE-2025-8401", "lastModified": "2025-08-13T19:31:59.007", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-07-31T12:15:27.437", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/tags/2.9.1/htmega-blocks/includes/classes/Manage_Styles.php#L99"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3336533/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9540b339-3386-4ee8-8141-acb9f3d83772?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T19:31:44.716207+00:00", "value": {"mitigation_remediation": ["Upgrade the HT Mega Addons for Elementor plugin to the latest available version that eliminates the vulnerable get_post_data function.", "If an upgrade is not feasible, disable or delete the plugin to remove the exposure.", "Review WordPress user roles and limit author\u2011level access to trusted users, enforcing proper access control so that only authorized personnel can view private, password\u2011protected, and draft content."], "summary": {"action": "Patch Now", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the devitemsllc HT Mega Addons for Elementor plugin for WordPress, for any version up to and including 2.9.1. Sites that have installed 2.9.1 or an earlier version are at risk. No other versions are currently listed as affected.", "description_and_impact": "The HT Mega \u2013 Absolute Addons For Elementor plugin contains a flaw in the get_post_data function that allows an attacker with author or higher privileges to retrieve the full content of private, password\u2011protected, and draft posts and pages. This results in the disclosure of sensitive information that is intended to remain hidden from unauthenticated users. The weakness is an improper access control issue, classified as CWE\u2011285, where restricted data is accessible to users who should not have such visibility.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate risk level, and the EPSS figure of less than 1% shows that the likelihood of exploitation is very low in the wild. The vulnerability is not yet part of CISA\u2019s KEV catalog. Since the attack requires an authenticated author\u2011level account, the threat is largely internal; it would be unlikely to succeed from an external source without first compromising credentials."}}}}, "created": "2025-07-31T20:37:51.869324+00:00", "updated": "2026-04-21T19:45:16.068984+00:00", "vendors": ["elementor", "elementor$PRODUCT$elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}