CVE-2025-8401: 
WordPress vulnerability analysis and mitigation

The HT Mega – Absolute Addons For Elementor plugin for WordPress contains a Sensitive Information Exposure vulnerability (CVE-2025-8401) affecting all versions up to and including 2.9.1. The vulnerability exists in the 'getpostdata' function, which allows authenticated attackers with Author-level access or higher to extract sensitive data including private, password-protected, and draft posts and pages (NVD).

The vulnerability is classified as CWE-285 (Improper Authorization) with a CVSS v3.1 Base Score of 4.3 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The issue stems from insufficient authorization checks in the 'getpostdata' function, which allows users with Author-level privileges to access content they shouldn't have permission to view (NVD, Wordfence).

The vulnerability allows authenticated attackers with Author-level access or higher to access sensitive information including private posts, password-protected content, and draft posts and pages that they should not have permission to view. This could lead to unauthorized access to confidential information stored in these protected posts (NVD).

The vulnerability has been patched in version 2.9.2 of the HT Mega – Absolute Addons For Elementor plugin. Users are advised to update to this version or later to protect against unauthorized access to sensitive content (Wordfence).