CVE-2025-8068: 
WordPress vulnerability analysis and mitigation

The HT Mega – Absolute Addons For Elementor WordPress plugin was found to contain a security vulnerability (CVE-2025-8068) that was disclosed on July 30, 2025. The vulnerability affects all versions up to and including 2.9.1. This security issue involves improper authorization in the plugin's capability checking mechanism (NVD, Wordfence).

The vulnerability stems from an improper capability check on the 'ajaxtrashtemplates' function. The issue has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability is classified as CWE-863 (Incorrect Authorization) (NVD).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to delete arbitrary attachment files and move arbitrary posts, pages, and templates to the Trash. This creates a potential for unauthorized modification and loss of data within WordPress installations running the affected plugin versions (NVD).

The vulnerability has been patched in version 2.9.2 of the HT Mega – Absolute Addons For Elementor plugin. Users are advised to update to this version immediately to protect their WordPress installations (Wordfence).