CVE-2023-6214
📋 TL;DR
The HT Mega plugin for WordPress exposes sensitive order data including customer PII through an unauthenticated API endpoint. This affects all WordPress sites using HT Mega plugin versions up to 2.4.6 with WooCommerce integration enabled.
💻 Affected Systems
- HT Mega - Absolute Addons For Elementor WordPress plugin
📦 What is this software?
Ht Mega by Hasthemes
⚠️ Risk & Real-World Impact
Worst Case
Mass data breach exposing customer names, email addresses, order details, and potentially payment information from the last 7 days of orders, leading to regulatory fines and reputational damage.
Likely Case
Attackers harvest customer PII for phishing campaigns, identity theft, or sell the data on dark web markets.
If Mitigated
Limited exposure if plugin is patched or disabled, but historical data may have already been compromised.
🎯 Exploit Status
Simple HTTP request to vulnerable endpoint can extract data without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.7
Vendor Advisory: https://wordpress.org/plugins/ht-mega-for-elementor/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'HT Mega - Absolute Addons For Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.4.7+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable HT Mega plugin
allTemporarily disable the vulnerable plugin until patched.
wp plugin deactivate ht-mega-for-elementor
Block vulnerable endpoint via .htaccess
linuxBlock access to the vulnerable API endpoint at web server level.
RewriteEngine On
RewriteRule ^wp-content/plugins/ht-mega-for-elementor/extensions/wc-sales-notification/ - [F,L]
🧯 If You Can't Patch
- Disable the 'Sales Notification' feature in HT Mega plugin settings
- Implement WAF rules to block requests to /wp-content/plugins/ht-mega-for-elementor/extensions/wc-sales-notification/
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → HT Mega version. If version ≤2.4.6, you are vulnerable.Check Version:
wp plugin get ht-mega-for-elementor --field=versionVerify Fix Applied:
After update, verify plugin version shows 2.4.7 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /wp-content/plugins/ht-mega-for-elementor/extensions/wc-sales-notification/
- Unusual GET requests with 'action=purchased_products' parameter
Network Indicators:
- Outbound traffic patterns showing data exfiltration to unknown IPs
SIEM Query:
source="web_access_logs" AND uri="/wp-content/plugins/ht-mega-for-elementor/extensions/wc-sales-notification/" AND status=200🔗 References
- https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/tags/2.3.6/extensions/wc-sales-notification/classes/class.sale_notification.php
- https://plugins.trac.wordpress.org/changeset/3048999/ht-mega-for-elementor/trunk/extensions/wc-sales-notification/classes/class.sale_notification.php?old=2654447&old_path=ht-mega-for-elementor%2Ftrunk%2Fextensions%2Fwc-sales-notification%2Fclasses%2Fclass.sale_notification.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/54043c6a-48a1-48e8-ba61-a7e8a1773036?source=cve
- https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/tags/2.3.6/extensions/wc-sales-notification/classes/class.sale_notification.php
- https://plugins.trac.wordpress.org/changeset/3048999/ht-mega-for-elementor/trunk/extensions/wc-sales-notification/classes/class.sale_notification.php?old=2654447&old_path=ht-mega-for-elementor%2Ftrunk%2Fextensions%2Fwc-sales-notification%2Fclasses%2Fclass.sale_notification.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/54043c6a-48a1-48e8-ba61-a7e8a1773036?source=cve
