Description
Missing Authorization vulnerability in Elementor Elementor Website Builder elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elementor Website Builder: from n/a through <= 3.35.5.
Published: 2026-03-13
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access / Data Manipulation
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a broken access control in Elementor Website Builder that allows an attacker to manipulate content or settings due to incorrect configuration of access control levels. This lack of proper authorization checks can enable unauthorized users to perform privileged actions, compromising the integrity of site content and configurations. The weakness is identified as CWE‑862 (Missing Access Control).

Affected Systems

Elementor:Elementor Website Builder plugin versions up to and including 3.35.5 are affected. The vulnerability applies to all releases from the earliest available through 3.35.5, as indicated by the vendor’s version range.

Risk and Exploitability

The CVSS score is 2.7, indicating low severity, and the EPSS score is less than 1%, implying a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector requires access to the site's administrative interface or other privileged roles that are improperly restricted. No specific exploit details are provided, but an attacker could potentially exploit misconfigured role permissions to gain unauthorized access to sensitive site functions.

Generated by OpenCVE AI on March 19, 2026 at 15:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Elementor to a version newer than 3.35.5
  • Verify that role permissions and access control settings are correctly configured
  • Restrict administrative access to trusted users only

Generated by OpenCVE AI on March 19, 2026 at 15:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor elementor Website Builder
Wordpress
Wordpress wordpress
Vendors & Products Elementor
Elementor elementor Website Builder
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Elementor Elementor Website Builder elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elementor Website Builder: from n/a through <= 3.35.5.
Title WordPress Elementor Website Builder plugin <= 3.35.5 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Elementor Elementor Website Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:17.902Z

Reserved: 2026-03-12T11:11:35.694Z

Link: CVE-2026-32445

cve-icon Vulnrichment

Updated: 2026-03-13T18:50:05.376Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:55:05.090

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-32445

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:03:20Z

Weaknesses