The Elementor plugin in WordPress suffers from a permission check flaw that permits unauthorised reading of unpublished templates. The logic error in the is_allowed_to_read_template() function fails to verify that a user has edit rights before allowing visibility of draft or private templates. As a result, an attacker who is logged in with Contributor level or higher can retrieve the full contents of a template by supplying its template_id to the get_template_data action on the elementor_ajax endpoint. This yields confidential design information that should only be visible to template owners or administrators.

WordPress installations running Elementor Website Builder version 3.35.7 or earlier are vulnerable. The flaw is present in all releases up to and including 3.35.7 and is not identified in later releases by the vendor. Site administrators should verify that the plugin is not at a vulnerable version.

The CVSS score of 4.3 indicates moderate severity. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog, implying that large‑scale exploitation has not been observed. Attackers require only authenticated access with Contributor or higher rights, meaning anyone who can log into the site can try to leverage the flaw by submitting a template_id to the elementor_ajax endpoint. The impact is limited to the disclosure of template data and does not involve remote code execution or website takeover, but the availability of design assets may aid further attacks or intellectual property theft.