CVE-2026-22468

Absolute Addons For Elementor <= 1.0.14 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.14
PublishedJanuary 5, 2026
Last updatedJanuary 14, 2026
Affected pluginabsolute-addons
Research Plan
Unverified

This research plan targets **CVE-2026-22468**, a missing authorization vulnerability in the **Absolute Addons For Elementor** plugin. This vulnerability allows authenticated users (with Subscriber-level permissions or higher) to execute actions typically reserved for administrators. --- ### 1. Vul…

Show full research plan

This research plan targets CVE-2026-22468, a missing authorization vulnerability in the Absolute Addons For Elementor plugin. This vulnerability allows authenticated users (with Subscriber-level permissions or higher) to execute actions typically reserved for administrators.


1. Vulnerability Summary

The vulnerability exists due to the lack of capability checks (e.g., current_user_can( 'manage_options' )) within one or more AJAX handlers registered via wp_ajax_ hooks. While the plugin may implement nonce verification to prevent CSRF, it fails to verify if the authenticated user has the necessary privileges to perform the requested action. This allows any logged-in user, such as a Subscriber, to perform unauthorized modifications, potentially altering plugin settings or site configurations.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Authentication: Subscriber-level account (PR:L).
  • Preconditions: The attacker must be logged into the WordPress site.
  • Vulnerable Action (Inferred): Likely an action related to saving settings, such as absolute_addons_save_admin_settings, absolute_addons_update_options, or absolute_addons_settings_save.
  • Payload Parameter: Usually a JSON object or array in a POST request containing settings keys and values.

3. Code Flow (Trace Path)

  1. Registration: The plugin registers AJAX handlers during the init or admin_init hook.
    • Search target: add_action( 'wp_ajax_... in includes/ or admin/ directories.
  2. Entry Point: An authenticated user sends a POST request to admin-ajax.php with a vulnerable action parameter.
  3. Missing Check: The handler function (e.g., save_settings_callback) is called.
  4. Inadequate Verification:
    • The function likely calls check_ajax_referer( 'nonce_name', 'security' ).
    • Crucially, it skips if ( ! current_user_can( 'manage_options' ) ) { wp_die(); }.
  5. Sink: The function proceeds to call update_option() or update_user_meta() based on user-supplied parameters.

4. Nonce Acquisition Strategy

Because this is a wp_ajax_ (authenticated) vulnerability, the nonce is likely localized for the WordPress dashboard.

  1. Identify Shortcode/Page: Check if the plugin enqueues scripts globally in the admin dashboard or only on specific pages.
  2. Create a Page (If needed): If the nonce is only available on pages with an Absolute Addons widget, create one:
    wp post create --post_type=page --post_status=publish --post_content='[absolute_addons_widget]'
    
  3. Navigate and Extract:
    • Log in as a Subscriber.
    • Navigate to /wp-admin/ or the created page.
    • Use browser_eval to search for the localization object.
    • Likely JS Objects: absolute_addons_admin, absolute_addons_data, or AA_Settings.
    • Command: browser_eval("window.absolute_addons_admin?.nonce") or browser_eval("window.absolute_addons_data?.ajax_nonce").

5. Exploitation Strategy

The goal is to use a Subscriber account to change a plugin setting or a core WordPress option.

Step 1: Discovery
Search the plugin code to identify the exact vulnerable action and nonce name.

grep -rn "wp_ajax_" .
# Check the resulting function for missing current_user_can

Step 2: Payload Identification
Identify the parameter name used for settings (often settings, data, or individual option names).

Step 3: Execution
Using the http_request tool, send the malicious request.

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=absolute_addons_save_settings_data&security=[NONCE]&settings[some_critical_option]=malicious_value
    
    (Note: Replace absolute_addons_save_settings_data and security with the actual action and nonce parameter name found in Step 1.)

6. Test Data Setup

  1. Install Plugin: Ensure absolute-addons version <= 1.0.14 is active.
  2. Create Subscriber:
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password
    
  3. Identify Target Option: Find a specific setting the plugin manages (e.g., absolute_addons_settings).

7. Expected Results

  • The server should respond with a 200 OK and likely a JSON success message (e.g., {"success": true}).
  • The database state should reflect the unauthorized change despite the request coming from a Subscriber.

8. Verification Steps

After the exploit attempt, verify the change using WP-CLI:

# Check if the targeted option was changed
wp option get absolute_addons_settings

# Or, if the exploit targeted a core WordPress setting via the vulnerability:
wp option get users_can_register

9. Alternative Approaches

  • Settings Injection: If the handler allows updating any option (blind update_option($_POST['key'], $_POST['value'])), attempt to change users_can_register to 1 and default_role to administrator.
  • Information Disclosure: Check if there are AJAX handlers for retrieving settings (get_settings) that also lack authorization, which could leak sensitive configuration data to a Subscriber.
  • Nonce Bypass Check: Check if check_ajax_referer is called with the third parameter as false and the return value is not checked:
    if ( check_ajax_referer( 'action', 'nonce', false ) ) { // logic } vs check_ajax_referer( 'action', 'nonce', false ); // logic follows anyway.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in an AJAX handler in versions up to, and including, 1.0.14. This allows authenticated attackers with subscriber-level permissions to perform administrative actions, such as updating plugin settings, by crafting a request to the admin-ajax.php endpoint with a valid nonce.

Security Fix

--- a/includes/admin/class-absolute-addons-admin.php
+++ b/includes/admin/class-absolute-addons-admin.php
@@ -50,6 +50,10 @@
 	public function absolute_addons_save_settings_data() {
 		check_ajax_referer( 'absolute_addons_nonce', 'security' );
 
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error( array( 'message' => __( 'Permission denied', 'absolute-addons' ) ) );
+		}
+
 		$settings = isset( $_POST['settings'] ) ? $_POST['settings'] : array();
 		update_option( 'absolute_addons_settings', $settings );
 		wp_send_json_success();

Exploit Outline

1. Log in to the WordPress site as a user with Subscriber-level access. 2. Locate and extract the AJAX nonce from the page source or JavaScript console, typically found in localized script objects such as 'absolute_addons_admin' or 'absolute_addons_data'. 3. Send a POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to 'absolute_addons_save_settings_data' (or the equivalent vulnerable action identified in the plugin code). 4. Include the 'security' (or equivalent) parameter with the extracted nonce and a 'settings' parameter containing the desired configuration changes. 5. The server will process the request and update the plugin settings without verifying the user's administrative privileges.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.