Thim Kit for Elementor < 1.3.8 – Missing Authorization to Unauthenticated Private Course Disclosure | CVE 2026-1870 | Plugin Vulnerabilities

Description

The Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing validation checks on the 'thim-ekit/archive-course/get-courses' REST endpoint callback function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to disclose private or draft LearnPress course content by supplying post_status in the params_url payload.

Affects Plugins

thim-elementor-kit

Fixed in 1.3.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/7c82577a-e7ee-4549-8d0f-bed09effa035

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Youssef Elouaer

Verified

No

WPVDB ID

e2c19c0b-7ace-4da0-ba38-f481e1844f73

Timeline

Publicly Published

2026-03-14 (about 1 month ago)

Added

2026-03-14 (about 1 month ago)

Last Updated

2026-03-14 (about 1 month ago)

Other

Published

Title

Published

2025-02-03

Title

SocialV - Social Network and Community BuddyPress Theme < 2.0.16 - Missing Authorization to Arbitrary File Download

Published

2024-07-08

Title

Comment Images Reloaded <= 2.2.1 - Authenticated (Subscriber+) Arbitrary Media Deletion

Published

2025-04-01

Title

Mobile App Canvas < 3.8.3 - Missing Authorization

Published

2026-02-18

Title

Influencer < 1.1.8 - Missing Authorization

Published

2023-10-18

Title

Headline Analyzer < 1.3.2 - Missing Authorization via REST APIs