Description
The Master Addons for Elementor Premium plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.3 via the 'JLTMA_Widget_Admin::render_preview'. This is due to missing capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute code on the server.
Published: 2026-03-02
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from a missing capability check in the render_preview function of the Master Addons for Elementor Premium plugin. An attacker who authenticates to the WordPress site with at least Subscriber-level access can trigger this function and inject arbitrary code, leading to full compromise of the web server. This flaw is classified as CWE-94, which denotes code injection weaknesses.

Affected Systems

The problem affects Jewel Theme’s Master Addons for Elementor Premium plugin in all released versions up to and including 2.1.3. The plugin operates within the WordPress CMS, and any site that has installed or upgraded to this version range is potentially vulnerable unless the preview feature is disabled for non-administrators.

Risk and Exploitability

With a CVSS score of 8.8, the flaw is considered high severity. However, the EPSS score is less than 1%, indicating that immediate exploitation is unlikely. The vulnerability is not listed in the CISA KEV catalog, so no publicly known exploits have been confirmed. The attack requires authentication, so it is limited to roles that can access the WordPress Admin dashboard; once authenticated, the attacker can execute arbitrary code via the preview renderer.

Generated by OpenCVE AI on April 15, 2026 at 18:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Master Addons for Elementor Premium to the latest version where the issue is fixed.
  • If an upgrade cannot be performed immediately, restrict the widget preview capability to administrators only or disable the plugin for all users except administrators.
  • Consider temporarily removing the plugin from public-facing sites or restricting access to the WordPress admin area until the update is applied.
  • Regularly check the vendor’s website or trusted security advisories for any new patches or additional mitigation guidance.

Generated by OpenCVE AI on April 15, 2026 at 18:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Jeweltheme
Jeweltheme master Addons For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Jeweltheme
Jeweltheme master Addons For Elementor
Wordpress
Wordpress wordpress

Mon, 02 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Master Addons for Elementor Premium plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.3 via the 'JLTMA_Widget_Admin::render_preview'. This is due to missing capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute code on the server.
Title Master Addons for Elementor Premium <= 2.1.3 - Authenticated (Subscriber+) Remote Code Execution via render_preview
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Jeweltheme Master Addons For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:01:35.594Z

Reserved: 2026-02-24T16:55:08.584Z

Link: CVE-2026-3132

cve-icon Vulnrichment

Updated: 2026-03-02T19:35:37.063Z

cve-icon NVD

Status : Deferred

Published: 2026-03-02T18:16:27.947

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-3132

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:15:10Z

Weaknesses