# CVE-2024-4875
HT Mega โ€“ Absolute Addons For Elementor <= 2.5.2 - Missing Authorization to Options Update

### Description:

The HT Mega โ€“ Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized modification of data|loss of data due to a missing capability check on the 'ajax_dismiss' function in versions up to, and including, 2.5.2. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to update options such as users_can_register, which can lead to unauthorized user registration. But this is kind of pointless as you need a registered user to open registration but if you know of another value that can be set to true in the options this would enable it.

Severity: medium
CVE ID: CVE-2024-4875
CVSS Score: 4.3
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Plugin Slug: ht-mega-for-elementor
Reference URL: