HT Mega Vulnerability– Absolute Addons For Elementor – Authenticated Directory Traversal – CVE-2024-1974 |WordPress Plugin Vulnerability Report

Plugin Name: HT Mega – Absolute Addons For Elementor

Key Information:

  • Software Type: Plugin
  • Software Slug: ht-mega-for-elementor
  • Software Status: Active
  • Software Author: devitemsllc
  • Software Downloads: 3,604,562
  • Active Installs: 100,000
  • Last Updated: March 14, 2024
  • Patched Versions: 2.4.7
  • Affected Versions: <= 2.4.6

Vulnerability Details:

  • Name: HT Mega – Absolute Addons For Elementor <= 2.4.6
  • Title: Authenticated Directory Traversal
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE: CVE-2024-1974
  • CVSS Score: 8.8
  • Publicly Published: March 14, 2024
  • Researcher: Webbernaut
  • Description: The plugin is vulnerable to Directory Traversal in versions up to 2.4.6 via the render function, allowing authenticated attackers with contributor-level access or higher to read arbitrary files on the server, potentially exposing sensitive information.


HT Mega – Absolute Addons For Elementor, a widely-used plugin for enhancing Elementor with additional widgets and functionalities, has been identified with a significant security vulnerability in versions up to 2.4.6. This vulnerability, known as CVE-2024-1974, involves Directory Traversal, which could allow attackers with sufficient permissions to access sensitive data on the server. The issue has been addressed in the newly released version 2.4.7, enhancing the plugin's security posture.

Detailed Overview:

Discovered by cybersecurity expert Webbernaut, CVE-2024-1974 highlights the critical importance of securing plugin functionalities against unauthorized access to the server's file system. Directory Traversal vulnerabilities can lead to the exposure of sensitive information, which could have severe implications for website security and data privacy.

Advice for Users:

  • Immediate Action: Update to version 2.4.7 immediately to mitigate the vulnerability.
  • Check for Signs of Vulnerability: Monitor your website for any unusual activity or unauthorized access attempts, as these could indicate exploitation of the vulnerability.
  • Alternate Plugins: While the patched version is secure, users may consider other Elementor addons that provide similar functionalities with strong security measures.
  • Stay Updated: Regularly updating all WordPress components, including plugins, themes, and the core, is crucial for maintaining site security.


The prompt patching of CVE-2024-1974 by the developers of HT Mega – Absolute Addons For Elementor underscores the continuous challenge of maintaining security in the WordPress ecosystem. For WordPress site administrators, especially those overseeing sites for small businesses with limited technical resources, understanding the importance of timely software updates and following security best practices is essential for protecting against potential threats.


In today's digital landscape, the security of WordPress websites is paramount, particularly as cyber threats become increasingly sophisticated. The recent discovery of a significant vulnerability in the "HT Mega – Absolute Addons For Elementor" plugin underscores the critical importance of keeping your site's components updated to safeguard against potential breaches.

Plugin Overview

"HT Mega – Absolute Addons For Elementor" is a widely used plugin that enhances the Elementor page builder with additional widgets and functionalities. Developed by devitemsllc, the plugin boasts over 3.6 million downloads and is actively installed on 100,000 WordPress sites. It is designed to offer a more comprehensive and flexible design experience for Elementor users.

Vulnerability Details

The vulnerability in question, identified as CVE-2024-1974, is categorized as an Authenticated Directory Traversal. With a CVSS score of 8.8, it poses a high risk, as it allows attackers with contributor-level access or higher to read arbitrary files on the server, potentially exposing sensitive information. This vulnerability affects all plugin versions up to 2.4.6 and has been patched in version 2.4.7.

Risks and Impacts

Directory Traversal vulnerabilities like CVE-2024-1974 can lead to the exposure of sensitive data, compromising website security and user privacy. The ability of attackers to access server files can result in data breaches, unauthorized data manipulation, and a loss of trust among site users and customers.

Remediation and User Advice

Users of the plugin are strongly encouraged to update to the patched version, 2.4.7, immediately. Additionally, monitoring your website for unusual activity or unauthorized access attempts is crucial in detecting potential exploitation of this vulnerability. While the updated version addresses this specific issue, exploring alternative Elementor addons with robust security features may provide an added layer of security.

Previous Vulnerabilities

The HT Mega plugin has encountered six vulnerabilities since April 13, 2021, highlighting the ongoing security challenges faced by popular WordPress plugins. These instances emphasize the need for continuous vigilance and prompt updates to mitigate risks.


The swift resolution of CVE-2024-1974 by the HT Mega plugin developers is a testament to the importance of proactive security measures within the WordPress community. For small business owners and website administrators, especially those with limited technical support, staying informed about vulnerabilities and ensuring timely software updates are key to protecting digital assets against evolving cyber threats. As the online landscape continues to grow in complexity, prioritizing website security is not just advisable—it's essential.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

HT Mega Vulnerability– Absolute Addons For Elementor – Authenticated Directory Traversal – CVE-2024-1974 |WordPress Plugin Vulnerability Report FAQs

Leave a Comment