Page Builder Features < 3.6.0 – Contributor+ Post Publication | Plugin Vulnerabilities

Description

The plugin is vulnerable to unauthorized post publication due to a misconfigured capability check on the 'get_items_permission_check' function permission callback of the 'process_pattern' REST API endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to create and immediately publish posts of any type (including pages), bypassing the standard WordPress review workflow where contributors must submit posts for administrator approval.

Affects Plugins

Fixed in 3.6.0

References

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/6e739eb4-6b8b-4bc7-a1e6-790180668c93

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

johska

Verified

No

WPVDB ID

40d32322-c07c-4c10-a8f4-9d02a65fa06a

Timeline

Publicly Published

2026-02-10 (about 3 months ago)

Added

2026-04-10 (about 1 month ago)

Last Updated

2026-04-10 (about 1 month ago)

Other

Published

Title

Published

2025-10-24

Title

ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution < 4.8.5 - Incorrect Authorization to Authenticated (Editor+) License Status Update

Published

2024-03-12

Title

Awesome Support < 6.1.7 - Insufficient Authorization via wpas_can_delete_attachments()

Published

2025-04-24

Title

Prevent Direct Access 2.8.6 - 2.8.8.2 - Incorrect Authorization to Authenticated (Contributor+) Multiple Media Actions

Published

2025-07-30

Title

HT Mega – Absolute Addons For Elementor < 2.9.2 - Improper Authorization to Authenticated (Contributor+) Limited Administrator Actions

Published

2025-09-19

Title

Booking Manager < 2.1.15 - Contributor+ Booking Deletion