WordPress Plugin Vulnerabilities

ElementsKit Elementor Addons < 3.9.0 - Unauthenticated Missing Authorization to Widget Content Overwrite

Description

The plugin is vulnerable to unauthorized data modification due to a missing capability check on the `Live_Action::reset()` function, which is hooked to the WordPress `init` action and triggers when both `post` and `action=elementor` GET parameters are present with no authentication or nonce verification. This makes it possible for unauthenticated attackers to overwrite the Elementor content (`_elementor_data`) of any `elementskit_widget` custom post type via a specially crafted URL, permanently replacing widget designs, text, and configurations with a blank template.

Affects Plugins

Plugin icon
elementskit-lite
Fixed in 3.9.0

References

CVE
CVE-2026-4362
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7740fdfb-65b2-4d27-935f-b0e73487f0c4

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Jack Pas (Dark.)
Verified
No
WPVDB ID
cbe32847-7af6-4ffd-b1f6-88ac0cd1caa5

Timeline

Publicly Published
2026-05-04 (about 10 days ago)
Added
2026-05-04 (about 9 days ago)
Last Updated
2026-05-04 (about 9 days ago)

Other

Published
Title
Published
2026-03-28
Title
AI Engine (Pro) < 3.4.2 - Missing Authorization
Published
2023-11-14
Title
Essential Grid < 3.0.19 - Missing Authorization
Published
2024-02-09
Title
Login Lockdown – Protect Login Form < 2.09 - Subscriber+ Options Leak
Published
2024-07-19
Title
Getwid – Gutenberg Blocks < 2.0.11 - Missing Authorization to Google API key update
Published
2026-02-13
Title
Mogi <= 1.2.3 - Missing Authorization