The Premium Addons for KingComposer plugin for WordPress contains a missing authorization flaw in the add_custom_sidebar() and remove_custom_sidebar() AJAX handlers. These actions are exposed through wp_ajax_nopriv_* hooks and write directly to the octagon_custom_sidebar option without checking user capabilities. As a result, an attacker who can reach the public site can invoke them without authentication, creating new custom widget areas or deleting existing ones. When a sidebar is deleted, any widgets assigned to that area silently lose their registration and stop rendering, effectively causing data loss and loss of user visibility. This flaw represents a missing authorization weakness (CWE‑862).

The vulnerability affects installations of the Premium Addons for KingComposer plugin from octagonwebstudio on WordPress sites running version 1.1.1 or earlier. Any WordPress deployment that has the plugin active and is reachable by unauthenticated visitors is potentially exposed.

The CVSS score of 5.3 indicates a moderate impact. Exploitation is straightforward because the AJAX endpoints are available to anyone on the site with no authentication required. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting it has not yet been widely exploited. Nevertheless, an attacker who can reach the site can create or delete custom sidebars without restriction, causing widget loss and potential configuration errors. The threat is limited to the affected WordPress instance, with no remote code execution or privilege escalation implied.