[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f-8ZpcQybr7FTjhodp5LrExBWnsnXn5GDhwh-uA2rquM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":9,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":36},"CVE-2026-32445","elementor-website-builder-missing-authorization-3","Elementor Website Builder \u003C= 3.35.5 - Missing Authorization","The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.35.5. This makes it possible for authenticated attackers, with author-level access and above, to perform an unauthorized action.","elementor",null,"\u003C=3.35.5","3.35.6","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-07 00:00:00","2026-04-15 21:21:08",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F98bbec12-25f5-429c-a926-e8da34945962?source=api-prod",40,[22,23,24,25],"assets\u002Fcss\u002Fadmin.css","assets\u002Fcss\u002Fadmin.min.css","assets\u002Fjs\u002F29f5723514661bfdffd8.bundle.js","assets\u002Fjs\u002F357684d6580904fc0a95.bundle.min.js","researched",false,3,"# Elementor Website Builder \u003C= 3.35.5 - Missing Authorization (CVE-2026-32445) Research Plan\n\n## 1. Vulnerability Summary\nThe **Elementor Website Builder** plugin (versions up to 3.35.5) contains a missing authorization vulnerability in its **Onboarding** module. Specifically, an AJAX handler registered under the `elementor_ajax` action fails to perform a sufficient capability check (e.g., `manage_options`). This allows authenticated users with **Author-level** access (capability `edit_posts`) to execute privileged actions related to site onboarding and experiments, such as resetting the onboarding wizard or clearing configuration data.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `elementor_ajax`\n- **Sub-Action**: `onboarding_reset_onboarding` (inferred from JS `clearAllOnboardingData`) or `onboarding_update_step`.\n- **Method**: `POST`\n- **Parameters**: \n    - `action`: `elementor_ajax`\n    - `actions`: A JSON-encoded string containing the sub-action and its data.\n    - `_nonce`: A valid AJAX nonce obtained from the page context.\n- **Authentication**: Authenticated (Author role or higher).\n- **Preconditions**: Elementor must be active, and the onboarding process should have been initiated or completed (to see the effect of the reset).\n\n## 3. Code Flow\n1. **Entry Point**: The request hits `admin-ajax.php` with `action=elementor_ajax`.\n2. **AJAX Manager**: WordPress dispatches to `Elementor\\Core\\Common\\Modules\\Ajax\\Module::handle_ajax()`.\n3. **Global Check**: The `handle_ajax` function typically checks if the user has the `edit_posts` capability (default for Authors).\n4. **Sub-action Dispatch**: The manager iterates through the `actions` JSON array. For an action like `onboarding_reset_onboarding`, it looks for the handler in the Onboarding module.\n5. **Vulnerable Sink**: The handler function in `Elementor\\App\\Modules\\Onboarding\\Module` (likely named `ajax_onboarding_reset_onboarding` or similar) executes logic to delete options (e.g., `delete_option( 'elementor_onboarding_data' )`) without verifying that the user has `manage_options` permissions.\n\n## 4. Nonce Acquisition Strategy\nThe `elementor_ajax` endpoint requires a nonce. In Elementor, this nonce is localized for authenticated users and accessible via the `elementorCommonConfig` JavaScript object.\n\n1. **Access Point**: Log in as an **Author** and navigate to the WordPress Dashboard (`\u002Fwp-admin\u002F`) or the Elementor Editor for a post.\n2. **Extraction**: Use `browser_eval` to extract the nonce from the global JS configuration.\n3. **JS Variable**: `window.elementorCommonConfig?.ajax?.nonce` or `window.elementorAdminConfig?.ajax?.nonce`.\n\n## 5. Exploitation Strategy\n### Step 1: Authentication\nAuthenticate as a user with the **Author** role.\n\n### Step 2: Nonce Extraction\nNavigate to `\u002Fwp-admin\u002F` and execute:\n```javascript\nbrowser_eval(\"window.elementorCommonConfig?.ajax?.nonce || window.elementorAdminConfig?.ajax?.nonce\")\n```\n\n### Step 3: Send Malicious AJAX Request\nSend a `POST` request to `admin-ajax.php` to reset the onboarding data.\n\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**:\n  ```\n  action=elementor_ajax&_nonce=[EXTRACTED_NONCE]&actions={\"onboarding_reset_onboarding\":{\"action\":\"onboarding_reset_onboarding\",\"data\":{}}}\n  ```\n  *(Note: The sub-action name `onboarding_reset_onboarding` is grounded in the JS call `clearAllOnboardingData` found in the bundle.)*\n\n## 6. Test Data Setup\n1. **Plugin Installation**: Install and activate Elementor 3.35.5.\n2. **Complete Onboarding**: As an Admin, complete the Elementor onboarding wizard or manually set the option:\n   `wp option update elementor_onboarding_data '{\"completed\":true,\"step\":\"done\"}'`\n3. **Create Author**: Create a user with the Author role.\n   `wp user create attacker attacker@example.com --role=author --user_pass=password`\n\n## 7. Expected Results\n- **HTTP Response**: Status 200 OK.\n- **JSON Response**: `{\"success\":true,\"data\":{\"responses\":{\"onboarding_reset_onboarding\":{\"success\":true,\"data\":[]}}}}`\n- **Database Effect**: The `elementor_onboarding_data` option will be deleted or its `completed` status will be set to `false`.\n\n## 8. Verification Steps\nAfter the exploit, use WP-CLI to check if the onboarding state was reset:\n```bash\nwp option get elementor_onboarding_data\n```\nIf the exploit worked, this command should either return an error (option not found) or show that the \"completed\" status is missing\u002Ffalse.\n\n## 9. Alternative Approaches\nIf `onboarding_reset_onboarding` is not the correct action name, try the following sub-actions often found in Elementor's Onboarding\u002FExperiments modules:\n- `onboarding_set_step` with `data={\"step\": \"1\"}`\n- `onboarding_init_maybe`\n- `onboarding_complete_step`\n- `elementor_reset_experiments` (related to `clearExperimentData` in the JS bundle)\n\nExample Alternative Payload:\n```\nactions={\"onboarding_set_step\":{\"action\":\"onboarding_set_step\",\"data\":{\"step\":\"1\"}}}\n```\n\nReference the JS localization keys from `assets\u002Fjs\u002F357684d6580904fc0a95.bundle.min.js`:\n- `STEP4_SITE_STARTER_CHOICE`\n- `EDITOR_LOAD_TRACKED`\n- `POST_ONBOARDING_CLICK_COUNT`","The Elementor Website Builder plugin for WordPress fails to perform a sufficient capability check within its Onboarding module in versions up to 3.35.5. This allows authenticated attackers with Author-level permissions or higher to execute administrative actions, such as resetting site onboarding data or clearing configuration experiments, via the elementor_ajax endpoint.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Felementor\u002F3.35.5\u002Fassets\u002Fcss\u002Fadmin.css \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Felementor\u002F3.35.6\u002Fassets\u002Fcss\u002Fadmin.css\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Felementor\u002F3.35.5\u002Fassets\u002Fcss\u002Fadmin.css\t2026-02-17 14:41:42.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Felementor\u002F3.35.6\u002Fassets\u002Fcss\u002Fadmin.css\t2026-03-03 14:49:18.000000000 +0000\n@@ -2271,6 +2271,46 @@\n   font-weight: 500;\n }\n \n+#e-dashboard-ally .ui-sortable-handle {\n+  justify-content: flex-start;\n+  gap: 8px;\n+}\n+\n+#dashboard-widgets .e-dashboard-ally {\n+  padding: 28px 0;\n+}\n+#dashboard-widgets .e-dashboard-ally .e-dashboard-ally-img {\n+  text-align: center;\n+  margin-block-end: 16px;\n+}\n+#dashboard-widgets .e-dashboard-ally .e-dashboard-ally-info {\n+  display: flex;\n+  flex-direction: column;\n+  align-items: center;\n+  text-align: center;\n+  margin-block-end: 20px;\n+}\n+#dashboard-widgets .e-dashboard-ally .e-dashboard-ally-title {\n+  font-size: 20px;\n+  line-height: 32px;\n+  color: #0C0D0E;\n+  margin-block-end: 0;\n+}\n+#dashboard-widgets .e-dashboard-ally .e-dashboard-ally-description {\n+  max-width: 295px;\n+  font-size: 14px;\n+  line-height: 20px;\n+  color: #3F444B;\n+  margin: 0 0 16px;\n+}\n+\n+label[for=e-dashboard-ally-hide] svg {\n+  display: inline-block;\n+  vertical-align: middle;\n+  margin-inline-end: 4px;\n+  margin-block-end: 2px;\n+}\n+\n .post-type-elementor_library #elementor-template-library-tabs-wrapper {\n   padding-block-start: 2em;\n   margin-block-end: 2em; ... (truncated)","The exploit leverages the `elementor_ajax` endpoint, which handles multiple actions in a single request and is typically accessible to users with the `edit_posts` capability (Authors).\n\n1. **Authentication**: The attacker authenticates with an Author-level account.\n2. **Nonce Retrieval**: The attacker extracts the AJAX security nonce from the global JavaScript configuration object `elementorCommonConfig` (specifically `elementorCommonConfig.ajax.nonce`) found in the WordPress admin dashboard.\n3. **Request Crafting**: The attacker sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the following parameters:\n   - `action`: `elementor_ajax`\n   - `_nonce`: The retrieved security nonce.\n   - `actions`: A JSON object containing privileged sub-actions from the Onboarding module, such as `{\"onboarding_reset_onboarding\":{\"action\":\"onboarding_reset_onboarding\",\"data\":{}}}`.\n4. **Execution**: Because the backend handler for `onboarding_reset_onboarding` lacks a `manage_options` capability check, it processes the request and deletes or modifies the targeted configuration options.","gemini-3-flash-preview","2026-04-18 05:21:23","2026-04-18 05:22:54",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","3.35.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Felementor\u002Ftags\u002F3.35.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Felementor.3.35.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Felementor\u002Ftags\u002F3.35.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Felementor.3.35.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Felementor\u002Ftags"]