Element Invader – Template Kits for Elementor <= 1.2.4 - Missing Authorization

This research plan outlines the steps to investigate and exploit CVE-2026-24386, a missing authorization vulnerability in the Element Invader – Template Kits for Elementor plugin.

---

1. Vulnerability Summary

The Element Invader plugin (versions <= 1.2.4) fails to implement proper capability checks on at least one AJAX handler registered via wp_ajax_. This allows any authenticated user with Subscriber-level privileges to trigger administrative functions. The vulnerability typically resides in functions responsible for importing templates, installing kit data, or modifying plugin settings.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Vulnerable Action: elementinvader_install_kit or elementinvader_import_template (inferred; agent must verify via grep).
• Authentication: Authenticated (Subscriber+).
• Parameter: action, nonce, and functionality-specific parameters (e.g., kit_id, template_id).
• Impact: Unauthorized modification of site content, potential overwrite of Elementor layouts, or denial of service by triggering large imports.

3. Code Flow Trace

1. The plugin registers an AJAX handler in its constructor or an init hook:
   add_action( 'wp_ajax_elementinvader_install_kit', [ $this, 'install_kit' ] );
2. The install_kit function (or similar) is called when a POST request is sent to admin-ajax.php with action=elementinvader_install_kit.
3. The function likely performs a nonce check using check_ajax_referer() or wp_verify_nonce().
4. Crucially, the function fails to call current_user_can( 'manage_options' ) before proceeding with the privileged logic.
5. The logic then executes (e.g., fetching a remote JSON kit and inserting it into the database).

4. Nonce Acquisition Strategy

Since this is an authenticated (Subscriber) vulnerability, we need a nonce. Even if a Subscriber cannot access the main "Element Invader" dashboard page, the plugin may enqueue its scripts (and thus its nonces) on other admin pages or even the frontend.

1. Identify Localization: Search for wp_localize_script in the plugin source to find the JavaScript object name and nonce key.
   • Search Pattern: grep -r "wp_localize_script" .
2. Determine Script Loading: Check where the script is enqueued (e.g., admin_enqueue_scripts or wp_enqueue_scripts).
3. Extraction Method:
   • Create a Subscriber user: wp user create attacker attacker@example.com --role=subscriber --user_pass=password
   • If the script loads on the frontend: Navigate to the homepage as the Subscriber.
   • If the script loads on the backend: Navigate to /wp-admin/profile.php as the Subscriber (Subscribers can always access this).
   • Browser Eval: Use browser_eval to extract the nonce:
     window.elementinvader_settings?.nonce or window.ei_ajax?.nonce (Verify the exact name in Step 1).

5. Exploitation Strategy

Once the nonce and the vulnerable action are identified:

1. Preparation: Log in as the Subscriber using the browser_navigate tool to establish a session.
2. Request Construction: Use the http_request tool to send a POST request to /wp-admin/admin-ajax.php.
3. Payload Example (Inferred):

   POST /wp-admin/admin-ajax.php HTTP/1.1
   Content-Type: application/x-www-form-urlencoded
   
   action=elementinvader_install_kit&nonce=EXTRACTED_NONCE&kit_id=123
   

4. Success Condition: A response indicating success (e.g., {"success":true}) and a visible change in the WordPress environment (new templates created).

6. Test Data Setup

1. Install Vulnerable Plugin: Ensure elementinvader version 1.2.4 is active.
2. Subscriber Account: Create a user with the subscriber role.
3. Elementor Setup: Ensure Elementor is installed and active, as this plugin depends on it.
4. Discovery: Run the following command to find the specific AJAX actions:

   grep -rn "wp_ajax_elementinvader_" /var/www/html/wp-content/plugins/elementinvader/
   

7. Expected Results

• The http_request from the Subscriber user returns a status 200 OK with a success payload.
• The application performs a task (like importing a template) that should be restricted to administrators.
• The response does NOT return a 403 Forbidden or an error indicating insufficient permissions.

8. Verification Steps

1. Check Post Count: If the action was a template import, check the database for new posts of type elementor_library:

   wp post list --post_type=elementor_library
   

2. Check Plugin Options: If the action was a settings change, verify the option value:

   wp option get elementinvader_settings
   

3. Review Response: Ensure the response body confirms execution.

9. Alternative Approaches

• Bypassing Nonce (if applicable): If check_ajax_referer is called with die=false, check if the function proceeds anyway without verifying the return value.
• Frontend Leakage: Check if the nonce is enqueued via wp_head for all users. If so, this could potentially be upgraded to an Unauthenticated vulnerability if wp_ajax_nopriv_ is also used (unlikely given CVSS).
• REST API: Check if the plugin registers any REST routes (register_rest_route) without a permission_callback, as these often mirror AJAX functionality.