A critical vulnerability has been identified in the WordPress HT Mega plugin. This vulnerability could allow a malicious actor to escalate their low-privileged account to something with higher privileges, which could then be used to take full control of the website. The vulnerability was discovered and reported by Rafie Muhammad of Patchstack.

The vulnerability is caused by a flaw in the way the HT Mega plugin handles user permissions. This flaw allows a malicious actor to exploit a low-privileged account to gain access to a higher-privileged account.

The vulnerability has been fixed in version 2.2.1 of the HT Mega plugin. Users who have installed this version are not affected by the vulnerability.


The vulnerability has a CVSS 3.1 score of 9.8, which is the highest possible score for a critical vulnerability. This means that the vulnerability is very easy to exploit and could have a severe impact on a website.

Affected Versions

The vulnerability affects all versions of the HT Mega plugin prior to 2.2.1.


If a malicious actor is able to exploit this vulnerability, they could gain full control of the website. This could allow them to do anything from deleting or modifying content to installing malware.


WordPress users who have installed the HT Mega plugin are advised to update to the latest version (2.2.1) as soon as possible. This will fix the vulnerability and protect their websites from attack.