Description
Missing Authorization vulnerability in pencilwp X Addons for Elementor x-addons-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects X Addons for Elementor: from n/a through <= 1.0.23.
Published: 2026-01-23
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access due to broken access control
Action: Apply Patch
AI Analysis

Impact

The flaw is a missing authorization defect in the X Addons for Elementor plugin that allows an attacker to bypass configured access control security levels. By exploiting this weakness, a malicious actor could perform actions normally restricted, potentially reading or altering site content or configuration. The weakness is identified as CWE‑862 – Broken Access Control, which directly threatens content integrity and site configuration.

Affected Systems

The affected product is the WordPress plugin X Addons for Elementor by pencilwp. All releases from the earliest available through version 1.0.23 are vulnerable. No specific sub‑versions beyond 1.0.23 are listed, indicating any installed instance of the plugin at or below this version is impacted.

Risk and Exploitability

The CVSS score of 4.3 classifies the impact as low, and the EPSS score of less than 1% signifies a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack path involves triggering the plugin’s functionality from a web request where authorisation checks are omitted. The exact exploitation conditions are not explicitly detailed, so it is inferred that an unauthenticated or authenticated request to the plugin’s exposed interfaces without proper role validation would be sufficient to bypass access controls.

Generated by OpenCVE AI on April 16, 2026 at 17:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade X Addons for Elementor to a version newer than 1.0.23
  • If upgrading is not immediately possible, disable or remove the plugin to eliminate the vulnerable code
  • Review and refine WordPress user roles to enforce the least privilege principle, ensuring that only authorized roles can access or modify plugin functionality

Generated by OpenCVE AI on April 16, 2026 at 17:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Pencilwp
Pencilwp x Addons For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Pencilwp
Pencilwp x Addons For Elementor
Wordpress
Wordpress wordpress

Fri, 23 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in pencilwp X Addons for Elementor x-addons-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects X Addons for Elementor: from n/a through <= 1.0.23.
Title WordPress X Addons for Elementor plugin <= 1.0.23 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Pencilwp X Addons For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:50.172Z

Reserved: 2026-01-23T12:32:17.047Z

Link: CVE-2026-24605

cve-icon Vulnrichment

Updated: 2026-01-23T20:14:03.784Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T15:16:19.247

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24605

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:45:27Z

Weaknesses