CVE-2026-4362 - Vulnerability Details

Description

The ElementsKit Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `Live_Action::reset()` function in all versions up to, and including, 3.8.2 The function is hooked to the WordPress `init` action and triggers when both `post` and `action=elementor` GET parameters are present, with no authentication or nonce verification. This makes it possible for unauthenticated attackers to overwrite the Elementor content (`_elementor_data`) of any `elementskit_widget` custom post type by visiting a specially crafted URL. The widget's custom designs, text, and configurations are permanently replaced with a blank template.

Published: 2026-05-05

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The ElementsKit Elementor Addons plugin contains a missing capability check in the Live_Action::reset() function. When both a post parameter and the action=elementor query string are present, the function runs during WordPress initialization, overwriting the _elementor_data field of any elementskit_widget custom post type. The absence of authentication or nonce verification allows anyone with a crafted URL to replace a widget’s design, text, and configuration with a blank template, effectively altering site content and potentially affecting user experience and brand integrity.

Affected Systems

The vulnerability impacts roxnor:ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor for all releases up to and including version 3.8.2.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity threat. With no EPSS score available and the issue not listed in the CISA KEV catalog, the likelihood of exploitation remains uncertain but non‑negligible. Attackers can trigger the flaw over the web by visiting a specifically crafted URL, requiring no credentials or knowledge of site internals. Once exploited, the integrity and availability of widget content are compromised, with the potential for widespread site defacement if many widgets are affected.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

roxnor

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.8.2

No data.

Vendor Product Confidence Versions

Roxnor

Elementskit Elementor Addons – Advanced Widgets & Templates Addons For Elementor

100%

Version	Status	Scheme	Platform
`[0,3.8.2]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the ElementsKit Elementor Addons plugin to version 3.9.0 or later.
Verify that only authorized users can edit widget content by reviewing custom post type permissions.
Apply a web application firewall or security plugin to block unauthenticated requests to the action=elementor endpoint.
Audit server logs for unfamiliar requests targeting the elementskit widget endpoint and configure alerts for repeated attempts.

Generated by OpenCVE AI on May 5, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.8.0/modules/widget-builder/init.php#L37
https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.8.0/modules/widget-builder/live-action.php#L10
https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.8.0/modules/widget-builder/live-action.php#L27
https://plugins.trac.wordpress.org/changeset/3499543/elementskit-lite/trunk/modules/widget-builder/live-action.php
https://plugins.trac.wordpress.org/changeset?old_path=%2Felementskit-lite/tags/3.8.2&new_path=%2Felementskit-lite/tags/3.9.0
https://www.wordfence.com/threat-intel/vulnerabilities/id/7740fdfb-65b2-4d27-935f-b0e73487f0c4?source=cve

History

Tue, 05 May 2026 06:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Roxnor Roxnor elementskit Elementor Addons – Advanced Widgets & Templates Addons For Elementor Wordpress Wordpress wordpress
Vendors & Products		Roxnor Roxnor elementskit Elementor Addons – Advanced Widgets & Templates Addons For Elementor Wordpress Wordpress wordpress

Tue, 05 May 2026 05:15:00 +0000

Type	Values Removed	Values Added
Description		The ElementsKit Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `Live_Action::reset()` function in all versions up to, and including, 3.8.2 The function is hooked to the WordPress `init` action and triggers when both `post` and `action=elementor` GET parameters are present, with no authentication or nonce verification. This makes it possible for unauthenticated attackers to overwrite the Elementor content (`_elementor_data`) of any `elementskit_widget` custom post type by visiting a specially crafted URL. The widget's custom designs, text, and configurations are permanently replaced with a blank template.
Title		ElementsKit Elementor Addons <= 3.8.2 - Missing Authorization to Unauthenticated Widget Content Overwrite
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.8.0/modules/widget-builder/init.php#L37 https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.8.0/modules/widget-builder/live-action.php#L10 https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.8.0/modules/widget-builder/live-action.php#L27 https://plugins.trac.wordpress.org/changeset/3499543/elementskit-lite/trunk/modules/widget-builder/live-action.php https://plugins.trac.wordpress.org/changeset?old_path=%2Felementskit-lite/tags/3.8.2&new_path=%2Felementskit-lite/tags/3.9.0 https://www.wordfence.com/threat-intel/vulnerabilities/id/7740fdfb-65b2-4d27-935f-b0e73487f0c4?source=cve
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}`

Subscriptions

Roxnor Elementskit Elementor Addons – Advanced Widgets & Templates Addons For Elementor

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-05T04:27:56.288Z

Updated: 2026-05-05T04:27:56.288Z

Reserved: 2026-03-17T20:15:55.299Z

Link: CVE-2026-4362

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-05T05:16:00.257

Modified: 2026-05-05T05:16:00.257

Link: CVE-2026-4362

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-05T06:30:17Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object