Impact
The Envo's Templates & Widgets plugin for Elementor and WooCommerce includes a flaw in the Envo Tabs and Off‑Canvas widgets. A missing authorization check in the render() method of the Tabs widget allows the template/post ID supplied by a user to be passed directly to Elementor's get_builder_content_for_display() without verifying the referenced post’s status or the viewer’s permission. An authenticated user with Author‑level access can therefore embed a reference to a private Elementor page in a widget placed on a public post and cause that private content to be rendered for anonymous visitors, resulting in a private‑content disclosure.
Affected Systems
The vulnerability affects envothemes' Envo's Templates & Widgets for Elementor and WooCommerce plugin for WordPress, specifically all releases up to and including version 1.4.26. WordPress sites that have installed this plugin and have an Author or higher level role capable of editing widget JSON via the Elementor REST API are impacted.
Risk and Exploitability
The CVSS score of 4.3 indicates a moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires an authenticated Author‑level user; the attacker must have permission to edit the widget’s JSON or use the REST API, after which the private content becomes visible to anyone who can view the public post. The risk is that confidential or draft Elementor pages may be exposed to non‑authenticated visitors if the attacker can craft and publish a widget that references those pages.
OpenCVE Enrichment