CVE-2024-1974
📋 TL;DR
This vulnerability in the HT Mega plugin for WordPress allows authenticated attackers with contributor-level access or higher to perform directory traversal attacks. They can read arbitrary files on the server, potentially exposing sensitive information like configuration files, passwords, or database credentials. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- HT Mega - Absolute Addons For Elementor WordPress Plugin
📦 What is this software?
Ht Mega by Hasthemes
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full access to sensitive server files including wp-config.php (containing database credentials), other configuration files, and potentially user data, leading to complete site compromise.
Likely Case
Attackers exfiltrate configuration files containing database credentials, leading to database access and potential data theft or site defacement.
If Mitigated
With proper file permissions and security controls, attackers can only read publicly accessible files, limiting exposure to non-sensitive information.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple. Public proof-of-concept code exists in vulnerability reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.7
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3048999/ht-mega-for-elementor/tags/2.4.7/includes/widgets/htmega_weather.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'HT Mega - Absolute Addons For Elementor'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.4.7+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Remove Contributor Access
allTemporarily remove contributor-level user accounts or restrict their permissions until patch is applied.
Disable Plugin
allDeactivate the HT Mega plugin if not critically needed until patched.
🧯 If You Can't Patch
- Implement strict file permissions (e.g., 600 for sensitive files, 755 for directories) to limit readable files
- Use web application firewall (WAF) rules to block directory traversal patterns in requests
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for HT Mega plugin version. If version is 2.4.6 or lower, you are vulnerable.Check Version:
wp plugin list --name="HT Mega" --field=version (if WP-CLI installed) or check WordPress admin plugins pageVerify Fix Applied:
After updating, verify plugin version shows 2.4.7 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual file read requests in web server logs containing '../' sequences
- Multiple failed authentication attempts followed by successful contributor-level login
Network Indicators:
- HTTP requests with '../' patterns in parameters to HT Mega endpoints
SIEM Query:
web_access_logs WHERE url CONTAINS "htmega_weather" AND (url CONTAINS "../" OR parameters CONTAINS "../")🔗 References
- https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/trunk/includes/widgets/htmega_weather.php#L401
- https://plugins.trac.wordpress.org/changeset/3048999/ht-mega-for-elementor/tags/2.4.7/includes/widgets/htmega_weather.php?old=2939273&old_path=ht-mega-for-elementor/trunk/includes/widgets/htmega_weather.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/11b5f0a1-bf22-46be-a165-c62f1077da0f?source=cve
- https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/trunk/includes/widgets/htmega_weather.php#L401
- https://plugins.trac.wordpress.org/changeset/3048999/ht-mega-for-elementor/tags/2.4.7/includes/widgets/htmega_weather.php?old=2939273&old_path=ht-mega-for-elementor/trunk/includes/widgets/htmega_weather.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/11b5f0a1-bf22-46be-a165-c62f1077da0f?source=cve
