[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$frHhiB5XNe1wjUe4oIeZHkjCVEP-Hlpse9_cGWUlNJys":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-1206","elementor-website-builder-incorrect-authorization-to-authenticated-contributor-sensitive-information-exposure-via-elemen","Elementor Website Builder \u003C= 3.35.7 - Incorrect Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Elementor Template","The Elementor Website Builder plugin for WordPress is vulnerable to Incorrect Authorization to Sensitive Information Exposure in all versions up to, and including, 3.35.7. This is due to a logic error in the is_allowed_to_read_template() function permission check that treats non-published templates as readable without verifying edit capabilities. This makes it possible for authenticated attackers, with contributor-level access and above, to read private or draft Elementor template content via the 'template_id' supplied to the 'get_template_data' action of the 'elementor_ajax' endpoint.","elementor",null,"\u003C=3.35.7","3.35.8","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-03-25 17:26:49","2026-03-26 05:29:35",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa4420935-4952-4460-afc2-1c6df6965b3d?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fjs\u002Fadmin-feedback.strings.js","assets\u002Fjs\u002Fadmin.js","assets\u002Fjs\u002Fadmin.min.js","assets\u002Fjs\u002Fai-layout.strings.js","assets\u002Fjs\u002Fai.strings.js","assets\u002Fjs\u002Fapp-loader.strings.js","assets\u002Fjs\u002Fapp-packages.strings.js","assets\u002Fjs\u002Fapp.strings.js","researched",false,3,"# Exploitation Research Plan: CVE-2026-1206 (Elementor Website Builder)\n\n## 1. Vulnerability Summary\nThe **Elementor Website Builder** plugin (versions \u003C= 3.35.7) contains an authorization bypass vulnerability in its template library management logic. Specifically, the function `is_allowed_to_read_template()` (inferred to be within the `Template_Library` module) fails to properly validate a user's permission to view templates that are not in a 'published' state (e.g., Drafts, Private, or Pending Review). \n\nWhile the code correctly restricts sensitive templates for unauthenticated users, it incorrectly assumes that any authenticated user with access to the Elementor AJAX endpoint (which includes Contributors) is authorized to read the content of non-published templates without checking if the specific user has the capability to edit that post. This allows a Contributor to leak the full JSON content, including potentially sensitive configurations or internal data, of any template on the site by providing its `template_id`.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `elementor_ajax`\n- **Sub-Action (Elementor Internal):** `get_template_data`\n- **Required Parameter:** `template_id` (the ID of the target private\u002Fdraft template)\n- **Authentication:** Authenticated, Contributor role or higher.\n- **Preconditions:** The attacker must know or guess the ID of a private or draft template (which can be found via ID enumeration).\n\n## 3. Code Flow\n1. **Entry Point:** The request hits `admin-ajax.php` with `action=elementor_ajax`.\n2. **AJAX Handler:** Elementor's central AJAX handler (likely in `Core\\Common\\Modules\\Ajax\\Module->handle_ajax_request()`) iterates through the `actions` provided in the POST body.\n3. **Dispatch:** The internal action `get_template_data` is dispatched to the Template Library manager.\n4. **Vulnerable Function:** The manager calls `is_allowed_to_read_template($template_id)`.\n5. **Logic Error:** The function checks the post status of the `$template_id`. If the status is not `publish` (e.g., `draft`), it bypasses the strict `edit_post` capability check and returns `true`, erroneously allowing the read operation.\n6. **Data Leak:** The function `get_template_data` proceeds to fetch the template's content and returns it in the JSON response.\n\n## 4. Nonce Acquisition Strategy\nElementor's AJAX endpoint requires a specific nonce. For a logged-in Contributor, this nonce is globally available in the WordPress admin dashboard where Elementor scripts are loaded.\n\n1. **Log in** as a Contributor.\n2. **Navigate** to any Elementor-related admin page (e.g., `wp-admin\u002Fedit.php?post_type=elementor_library`).\n3. **Extraction:** Use `browser_eval` to extract the AJAX nonce from the `elementorCommon` or `elementorAdmin` configuration objects.\n   - **Key:** `window.elementorCommon.config.ajax.nonce`\n   - **Alternative Key:** `window.elementorAdminConfig.ajax_nonce` (inferred from `assets\u002Fjs\u002Fadmin.js`).\n\n## 5. Exploitation Strategy\n### Step 1: Discover Target Template ID\nThe attacker can enumerate Post IDs via the REST API or by guessing IDs if a specific private template is suspected. For the PoC, we will create a private template as an Admin and note its ID.\n\n### Step 2: Extract AJAX Nonce\nNavigate to the WordPress dashboard as a Contributor and run:\n```javascript\n\u002F\u002F Browser Eval\nreturn window.elementorCommon.config.ajax.nonce;\n```\n\n### Step 3: Send Malicious AJAX Request\nSend a POST request to `admin-ajax.php`. Elementor's AJAX handler expects a specific nested JSON format for the `actions` parameter.\n\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n```http\naction=elementor_ajax&_nonce=[EXTRACTED_NONCE]&actions={\"get_template_data\":{\"action\":\"get_template_data\",\"data\":{\"template_id\":[TARGET_PRIVATE_ID]}}}\n```\n\n### Step 4: Analyze Response\nA successful exploit will return a `200 OK` with a JSON body containing the `data` key for the requested template, revealing the full Elementor widget tree and content.\n\n## 6. Test Data Setup\n1. **Admin Action:** Create an Elementor Template (e.g., a \"Section\" template).\n   - **Title:** \"Sensitive Admin Data\"\n   - **Content:** Add a Text Editor widget with the string `SECRET_ADMIN_TOKEN_12345`.\n   - **Status:** Set to **Draft** or **Private**.\n   - **ID:** Note the ID (e.g., `15`).\n2. **Admin Action:** Create a user with the **Contributor** role.\n3. **Login:** Authenticate as the Contributor.\n\n## 7. Expected Results\n- **Success:** The response JSON contains `\"success\":true` and the `data` field contains the serialized Elementor content of the private template, including the string `SECRET_ADMIN_TOKEN_12345`.\n- **Failure:** The response returns a `403 Forbidden` or a JSON error stating the user is not allowed to perform the action.\n\n## 8. Verification Steps\n1. **Via Browser:** Verify the Contributor cannot see the private template in the \"Templates\" list (`wp-admin\u002Fedit.php?post_type=elementor_library`).\n2. **Via WP-CLI:** Check the template status to confirm it is indeed private:\n   `wp post get [ID] --field=post_status`\n3. **Via PoC:** Ensure the AJAX response includes the template content despite the restricted status.\n\n## 9. Alternative Approaches\nIf the `elementorCommon` object is not available on the Contributor dashboard, try:\n1. Creating a post with an Elementor-related shortcode (e.g., `[elementor-template id=\"1\"]`) to force-load Elementor assets on a frontend page, then extracting the nonce from there.\n2. Checking the `admin-feedback.strings.js` context which indicates some library features are accessible to lower roles via the \"New Template\" buttons.\n3. If the `actions` JSON format differs, capture a legitimate AJAX request from an Admin session to observe the exact structure expected by the `elementor_ajax` handler.","The Elementor plugin contains a logic error in its template permission check function, `is_allowed_to_read_template()`. This function incorrectly grants access to non-published templates (such as drafts or private templates) without verifying if the user has the required edit permissions, allowing authenticated attackers with Contributor-level access to leak sensitive template data.","\u002F\u002F Inferred location: core\u002Fcommon\u002Fmodules\u002Fajax\u002Fmodule.php or includes\u002Ftemplate-library\u002Fmanager.php\n\npublic function is_allowed_to_read_template( $template_id ) {\n    $post_status = get_post_status( $template_id );\n\n    \u002F\u002F Logic Error: The check returns true if the template is NOT published,\n    \u002F\u002F assuming that only published templates need strict capability checks.\n    if ( 'publish' !== $post_status ) {\n        return true;\n    }\n\n    return current_user_can( 'edit_post', $template_id );\n}","--- a\u002Fincludes\u002Ftemplate-library\u002Fmanager.php\n+++ b\u002Fincludes\u002Ftemplate-library\u002Fmanager.php\n@@ -124,10 +124,6 @@\n \tpublic function is_allowed_to_read_template( $template_id ) {\n \t\t$post_status = get_post_status( $template_id );\n \n-\t\tif ( 'publish' !== $post_status ) {\n-\t\t\treturn true;\n-\t\t}\n-\n \t\treturn current_user_can( 'edit_post', $template_id );\n \t}","The exploit targets the Elementor AJAX endpoint and bypasses authorization checks for draft or private templates. \n\n1. Authentication: The attacker must be authenticated as a Contributor or higher.\n2. Nonce Acquisition: Extract the required AJAX nonce from the WordPress admin dashboard by accessing the `window.elementorCommon.config.ajax.nonce` JavaScript variable.\n3. Target Identification: Enumerate or guess the ID of a private or draft template that contains sensitive information.\n4. Request Construction: Send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the parameter `action=elementor_ajax`. \n5. Payload Shape: The POST body must contain a JSON-encoded `actions` parameter specifically calling the `get_template_data` internal action:\n   - `actions={\"get_template_data\":{\"action\":\"get_template_data\",\"data\":{\"template_id\":[TARGET_ID]}}}`\n6. Data Extraction: Because of the logic error in `is_allowed_to_read_template()`, the server will bypass the capability check for non-published IDs and return the full JSON content (including widget configurations and text content) of the requested template.","gemini-3-flash-preview","2026-04-17 22:47:48","2026-04-17 22:48:09",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.35.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Felementor\u002Ftags\u002F3.35.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Felementor.3.35.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Felementor\u002Ftags\u002F3.35.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Felementor.3.35.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Felementor\u002Ftags"]