Description
The Envo's Templates & Widgets for Elementor and WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the Envo Tabs (and Off Canvas) widget's template rendering in versions up to, and including, 1.4.26. The render() method of the Tabs widget passes a user-controlled template/post ID directly to Elementor's get_builder_content_for_display() without verifying the referenced post's status (published/private/draft) or the visitor's authorization to view it. This makes it possible for authenticated attackers, with Author-level access and above, to disclose the contents of private Elementor-driven pages and templates to anonymous visitors by configuring an Envo Tabs widget on a public post to reference the private content's ID (which can be supplied by editing the underlying Elementor widget JSON via the Elementor editor REST API).
Published: 2026-07-02
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Envo's Templates & Widgets plugin for Elementor and WooCommerce includes a flaw in the Envo Tabs and Off‑Canvas widgets. A missing authorization check in the render() method of the Tabs widget allows the template/post ID supplied by a user to be passed directly to Elementor's get_builder_content_for_display() without verifying the referenced post’s status or the viewer’s permission. An authenticated user with Author‑level access can therefore embed a reference to a private Elementor page in a widget placed on a public post and cause that private content to be rendered for anonymous visitors, resulting in a private‑content disclosure.

Affected Systems

The vulnerability affects envothemes' Envo's Templates & Widgets for Elementor and WooCommerce plugin for WordPress, specifically all releases up to and including version 1.4.26. WordPress sites that have installed this plugin and have an Author or higher level role capable of editing widget JSON via the Elementor REST API are impacted.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires an authenticated Author‑level user; the attacker must have permission to edit the widget’s JSON or use the REST API, after which the private content becomes visible to anyone who can view the public post. The risk is that confidential or draft Elementor pages may be exposed to non‑authenticated visitors if the attacker can craft and publish a widget that references those pages.

Generated by OpenCVE AI on July 2, 2026 at 12:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Envo's Templates & Widgets for Elementor and WooCommerce to the latest version that addresses the missing authorization check.
  • Audit all public posts for Envo Tabs widgets that reference private Elementor templates and either remove those references or modify the widget to point only to published content.
  • Disable or limit the Elementor REST API route that permits editing widget JSON for users with Author or higher capability, or implement a role‑based filter to prevent content‑ID injection.

Generated by OpenCVE AI on July 2, 2026 at 12:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Envo's Templates & Widgets for Elementor and WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the Envo Tabs (and Off Canvas) widget's template rendering in versions up to, and including, 1.4.26. The render() method of the Tabs widget passes a user-controlled template/post ID directly to Elementor's get_builder_content_for_display() without verifying the referenced post's status (published/private/draft) or the visitor's authorization to view it. This makes it possible for authenticated attackers, with Author-level access and above, to disclose the contents of private Elementor-driven pages and templates to anonymous visitors by configuring an Envo Tabs widget on a public post to reference the private content's ID (which can be supplied by editing the underlying Elementor widget JSON via the Elementor editor REST API).
Title Envo's Templates & Widgets for Elementor and WooCommerce <= 1.4.26 - Missing Authorization to Authenticated (Author+) Private Content Disclosure via Envo Tabs Widget 'templates' Setting
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-02T15:54:20.863Z

Reserved: 2026-06-08T14:54:04.597Z

Link: CVE-2026-11600

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T12:15:04Z

Weaknesses