Elementor Website Builder < 3.35.8 – Contributor+ Sensitive Information Exposure via Elementor Template | CVE 2026-1206 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Incorrect Authorization to Sensitive Information Exposure due to a logic error in the is_allowed_to_read_template() function permission check that treats non-published templates as readable without verifying edit capabilities. This makes it possible for authenticated attackers, with contributor-level access and above, to read private or draft Elementor template content via the 'template_id' supplied to the 'get_template_data' action of the 'elementor_ajax' endpoint.

Affects Plugins

Fixed in 3.35.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a4420935-4952-4460-afc2-1c6df6965b3d

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

shark3y

Verified

No

WPVDB ID

44a36810-631b-47ca-82f7-e90a5bda1538

Timeline

Publicly Published

2026-03-25 (about 1 month ago)

Added

2026-03-25 (about 1 month ago)

Last Updated

2026-03-25 (about 1 month ago)

Other

Published

Title

Published

2023-12-06

Title

Royal Elementor Addons and Templates < 1.3.81 - Unauthenticated Arbitrary Post Read

Published

2025-10-15

Title

Truelysell Core < 1.8.7 - Unauthenticated Arbitrary User Password Change

Published

2024-09-04

Title

Jetpack < 13.8 - Unauthenticated Arbitrary Block & Shortcode Execution

Published

2026-01-16

Title

Frontend File Manager Plugin < 23.6 - Unauthenticated Insecure Direct Object Reference

Published

2026-01-02

Title

Innovio <= 1.7 - Authenticated (Subscriber+) Insecure Direct Object Reference