[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$faA13zz59dZfy-dfDYW5J5rQqZsSbT1kz5jLVhnBY_uk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-49782","elementor-website-builder-more-than-just-a-page-builder-missing-authorization","Elementor Website Builder – more than just a page builder \u003C= 4.1.0 - Missing Authorization","The Elementor Website Builder – more than just a page builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.1.0. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.","elementor",null,"\u003C=4.1.0","4.1.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-02 00:00:00","2026-06-08 14:50:20",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5bd9ae0d-aa3a-4fb3-93b8-0e25bd01e162?source=api-prod",7,[22,23,24,25,26,27,28,29],"assets\u002Fjs\u002Fai-layout.strings.js","assets\u002Fjs\u002Fai.strings.js","assets\u002Fjs\u002Fapp-loader.strings.js","assets\u002Fjs\u002Fapp-packages.strings.js","assets\u002Fjs\u002Fapp.strings.js","assets\u002Fjs\u002Feditor-document.strings.js","assets\u002Fjs\u002Feditor-modules.strings.js","assets\u002Fjs\u002Fimport-export-admin.strings.js","researched",false,3,"# Research Plan: CVE-2026-49782 - Elementor Missing Authorization in AJAX Handlers\n\n## 1. Vulnerability Summary\nThe **Elementor Website Builder** plugin for WordPress (versions \u003C= 4.1.0) contains a missing authorization vulnerability within its centralized AJAX dispatching system. The plugin registers a primary AJAX action, `elementor_ajax`, which acts as a gateway for dozens of internal sub-actions (commands). While some commands correctly verify user capabilities, several sub-actions (likely related to the newly introduced **AI Layout** and **Template Kit** features) fail to validate if the authenticated user has sufficient permissions (e.g., `edit_others_posts` or `manage_options`) before executing their logic. This allows a user with **Contributor** level access to perform actions they are not authorized for, such as manipulating layout data or accessing administrative content.\n\n## 2. Attack Vector Analysis\n*   **Vulnerable Endpoint:** `POST \u002Fwp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action:** `elementor_ajax`\n*   **Vulnerable Parameter:** `actions` (a JSON-encoded string containing a map of sub-commands and their data).\n*   **Authentication Requirement:** Authenticated user with at least **Contributor** role.\n*   **Preconditions:** An attacker must obtain a valid AJAX nonce, which is typically localized in the WordPress admin dashboard for all logged-in users.\n\n## 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers the handler via `add_action( 'wp_ajax_elementor_ajax', [ $ajax_manager, 'handle_ajax_request' ] );`.\n2.  **Parsing:** The `handle_ajax_request` method in the `Ajax` manager module parses the `actions` JSON payload.\n3.  **Command Execution:** It iterates through the requested actions and instantiates specific command classes (e.g., related to `AI Layout` or `Document` actions).\n4.  **Vulnerability:** The specific command handler (e.g., `get_remote_template_content` or `save_builder_data`) lacks a `current_user_can()` check or relies on an insufficient capability check that allows Contributors to modify or retrieve data they do not own.\n\n## 4. Nonce Acquisition Strategy\nElementor nonces are exposed via localized JavaScript objects in the WordPress admin. Based on common Elementor architecture:\n*   **JavaScript Variable:** `window.elementorCommon.config.ajax.nonce`\n*   **Acquisition Method:**\n    1.  Log in as a **Contributor**.\n    2.  Navigate to any page in the WordPress admin dashboard (e.g., `\u002Fwp-admin\u002Fprofile.php`).\n    3.  Execute the following via `browser_eval`:\n        ```javascript\n        window.elementorCommon?.config?.ajax?.nonce || window.elementorConfig?.ajax?.nonce\n        ```\n*   **Alternative:** If the script is only loaded on specific pages, navigate to `\u002Fwp-admin\u002Fadmin.php?page=elementor-app` (the Elementor App Loader, referenced in `assets\u002Fjs\u002Fapp-loader.strings.js`).\n\n## 5. Exploitation Strategy\nWe will attempt to perform an unauthorized action using the `elementor_ajax` action. A common target for \"Integrity: Low\" (CVSS 4.3) is retrieving or slightly modifying layout content.\n\n### HTTP Request (using `http_request` tool)\n*   **Method:** `POST`\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=elementor_ajax\n    &_nonce=[EXTRACTED_NONCE]\n    &actions={\"exploit_cmd\":{\"action\":\"get_remote_template_content\",\"data\":{\"editor_post_id\":1,\"template_id\":\"12345\"}}}\n    ```\n    *(Note: Replace `editor_post_id` with an existing Post ID and `template_id` with a valid or placeholder ID).*\n\n### Alternative Sub-Actions (based on provided `.strings.js` files):\nIf `get_remote_template_content` is patched, try:\n*   **AI Layout Generation:** `{\"cmd\":{\"action\":\"ai_layout_get_content\",\"data\":{...}}}` (referenced by `ai-layout.strings.js`).\n*   **Delete Content:** `{\"cmd\":{\"action\":\"delete_all_content\",\"data\":{\"post_id\":1}}}` (referenced by `editor-document.strings.js` string: `\"Attention: We are going to DELETE ALL CONTENT from this page.\"`).\n\n## 6. Test Data Setup\n1.  **Users:** \n    *   Administrator: `admin` \u002F `password`\n    *   Contributor: `attacker` \u002F `password`\n2.  **Content:**\n    *   Create a Page (Post ID `1`) as the Administrator and edit it with Elementor.\n3.  **Plugin:**\n    *   Ensure Elementor \u003C= 4.1.0 is installed and activated.\n\n## 7. Expected Results\n*   **Vulnerable:** The server returns a `200 OK` with a JSON object containing the result of the sub-action (e.g., `\"success\": true` and the template content or confirmation of deletion).\n*   **Patched:** The server returns a `200 OK` but the JSON internal response indicates a failure, such as `{\"success\": false, \"data\": \"permission_denied\"}` or a `403 Forbidden` status.\n\n## 8. Verification Steps\n1.  Check the HTTP response body for the `success: true` flag inside the specific action's response.\n2.  **Database Check:** Use WP-CLI to verify if the unauthorized action took effect:\n    ```bash\n    wp post get 1 --field=post_content\n    ```\n    If the action was `delete_all_content`, the content should be empty or reverted.\n\n## 9. Alternative Approaches\nIf the `elementor_ajax` action requires a specific editor state, try exploiting the REST API routes if they exist for the AI features:\n*   **Endpoint:** `\u002Fwp-json\u002Felementor\u002Fv1\u002Fai\u002Fget-layout`\n*   **Method:** `POST`\n*   **Auth:** Include the `X-WP-Nonce` (retrieved via `window.wpApiSettings.nonce`).","The Elementor Website Builder plugin for WordPress (versions up to 4.1.0) fails to properly validate user capabilities within its centralized AJAX dispatching system. This allows authenticated users with Contributor-level permissions to execute restricted sub-actions, potentially leading to unauthorized data retrieval or content modification.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Felementor\u002F4.1.0\u002Fassets\u002Fjs\u002Fai-layout.strings.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Felementor\u002F4.1.1\u002Fassets\u002Fjs\u002Fai-layout.strings.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Felementor\u002F4.1.0\u002Fassets\u002Fjs\u002Fai-layout.strings.js\t2026-05-26 08:54:34.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Felementor\u002F4.1.1\u002Fassets\u002Fjs\u002Fai-layout.strings.js\t2026-05-27 11:26:54.000000000 +0000\n@@ -231,61 +231,6 @@\n __( 'blocks', 'elementor' );\n __( 'Loading', 'elementor' );\n __( 'Show prompt history', 'elementor' );\n-__( 'Cancel', 'elementor' );\n-__( 'Yes, leave', 'elementor' );\n-__( 'Preview unavailable', 'elementor' );\n-__( 'Hero section on [topic] with heading, text, buttons on the right, and an image on the left', 'elementor.com' ) },\n-\t\u002F\u002F Translators: [Topic] is a placeholder for the user - please translate it as well\n-\t{ text: __( 'About Us section on [topic] with heading, text, and big image below', 'elementor.com' ) },\n-\t{ text: __( 'Team section with four image boxes showcasing team members', 'elementor.com' ) },\n-\t\u002F\u002F Translators: [Topic] is a placeholder for the user - please translate it as well\n-\t{ text: __( 'FAQ section with a toggle widget showcasing FAQs about [topic]', 'elementor.com' ) },\n-\t{ text: __( 'Gallery section with a carousel displaying three images at once', 'elementor.com' ) },\n-\t\u002F\u002F Translators: [Topic] is a placeholder for the user - please translate it as well\n-\t{ text: __( 'Contact section with a form for [topic]', 'elementor.com' ) },\n-\t{ text: __( 'Client section featuring companies\\' logos', 'elementor.com' ) },\n-\t\u002F\u002F Translators: [Topic] is a placeholder for the user - please translate it as well\n-\t{ text: __( 'Testimonial section with testimonials, each featuring a star rating and an image', 'elementor.com' ) },\n-\t\u002F\u002F Translators: [Topic] is a placeholder for the user - please translate it as well\n-\t{ text: __( 'Service section about [topic], showcasing four services with buttons', 'elementor.com' ) },\n-\t\u002F\u002F Translators: [Topic] is a placeholder for the user - please translate it as well\n-\t{ text: __( 'Stats section with counters displaying data about [topic]', 'elementor.com' ) },\n-\t{ text: __( 'Quote section with colored background, featuring a centered quote', 'elementor.com' ) },\n-\t\u002F\u002F Translators: [Topic] is a placeholder for the user - please translate it as well\n-\t{ text: __( 'Pricing section for [topic] with a pricing list', 'elementor.com' ) },\n-\t\u002F\u002F Translators: [Topic] is a placeholder for the user - please translate it as well\n-\t{ text: __( 'Subscribe section featuring a simple email form, inviting users to stay informed on [topic]', 'elementor.com' ) },\n-] );\n-\n-const IconButtonWithTooltip = ( { tooltip, ...props } ) => (\n-\t\u003CTooltip title={ tooltip }>\n-\t\t\u003CBox component=\"span\" sx={ { cursor: props.disabled ? 'default' : 'pointer' } }>\n-\t\t\t\u003CIconButton { ...props } \u002F>\n-\t\t\u003C\u002FBox>\n-\t\u003C\u002FTooltip>\n-);\n-\n-IconButtonWithTooltip.propTypes = {\n-\ttooltip: PropTypes.string,\n-\tdisabled: PropTypes.bool,\n-};\n-\n-const BackButton = ( props ) => (\n-\t\u003CIconButtonWithTooltip size=\"small\" color=\"secondary\" tooltip={ __( 'Back to results', 'elementor' );\n-__( 'Edit prompt', 'elementor' );\n-__( 'Generate', 'elementor' );\n-__( \"Press '\u002F' for suggested prompts or describe the layout you want to create\", 'elementor' );\n-__( 'Suggested Prompts', 'elementor' );\n-__( 'Upgrade your plan for best results.', 'elementor' );\n-__( 'You won’t be able to use layouts with Elementor Pro widgets until you do.', 'elementor' );\n-__( 'Go Pro', 'elementor' );\n-__( 'Go Pro', 'elementor' );\n-__( 'Pro', 'elementor' );\n-__( \"This result includes an Elementor Pro widget that's not available with your current plan. Upgrade to use all the widgets in this result.\", 'elementor' );\n-__( 'AI', 'elementor' );\n-__( 'Beta', 'elementor' );\n-__( 'Reference a website', 'elementor' );\n-__( 'Create variations from Template Library', 'elementor' );\n __( 'None', 'elementor' );\n __( 'Photographic', 'elementor' );\n __( 'None', 'elementor' );\n@@ -366,6 +311,61 @@\n __( 'Generate again', 'elementor' );\n __( 'Enhance prompt', 'elementor' );\n __( 'Back', 'elementor' );\n+__( 'Cancel', 'elementor' );\n+__( 'Yes, leave', 'elementor' );\n+__( 'Preview unavailable', 'elementor' );\n+__( 'Hero section on [topic] with heading, text, buttons on the right, and an image on the left', 'elementor.com' ) },\n+\t\u002F\u002F Translators: [Topic] is a placeholder for the user - please translate it as well\n+\t{ text: __( 'About Us section on [topic] with heading, text, and big image below', 'elementor.com' ) },\n+\t{ text: __( 'Team section with four image boxes showcasing team members', 'elementor.com' ) },\n+\t\u002F\u002F Translators: [Topic] is a placeholder for the user - please translate it as well\n+\t{ text: __( 'FAQ section with a toggle widget showcasing FAQs about [topic]', 'elementor.com' ) },\n+\t{ text: __( 'Gallery section with a carousel displaying three images at once', 'elementor.com' ) },\n+\t\u002F\u002F Translators: [Topic] is a placeholder for the user - please translate it as well\n+\t{ text: __( 'Contact section with a form for [topic]', 'elementor.com' ) },\n+\t{ text: __( 'Client section featuring companies\\' logos', 'elementor.com' ) },\n+\t\u002F\u002F Translators: [Topic] is a placeholder for the user - please translate it as well\n+\t{ text: __( 'Testimonial section with testimonials, each featuring a star rating and an image', 'elementor.com' ) },\n+\t\u002F\u002F Translators: [Topic] is a placeholder for the user - please translate it as well\n+\t{ text: __( 'Service section about [topic], showcasing four services with buttons', 'elementor.com' ) },\n+\t\u002F\u002F Translators: [Topic] is a placeholder for the user - please translate it as well\n+\t{ text: __( 'Stats section with counters displaying data about [topic]', 'elementor.com' ) },\n+\t{ text: __( 'Quote section with colored background, featuring a centered quote', 'elementor.com' ) },\n+\t\u002F\u002F Translators: [Topic] is a placeholder for the user - please translate it as well\n+\t{ text: __( 'Pricing section for [topic] with a pricing list', 'elementor.com' ) },\n+\t\u002F\u002F Translators: [Topic] is a placeholder for the user - please translate it as well\n+\t{ text: __( 'Subscribe section featuring a simple email form, inviting users to stay informed on [topic]', 'elementor.com' ) },\n+] );\n+\n+const IconButtonWithTooltip = ( { tooltip, ...props } ) => (\n+\t\u003CTooltip title={ tooltip }>\n+\t\t\u003CBox component=\"span\" sx={ { cursor: props.disabled ? 'default' : 'pointer' } }>\n+\t\t\t\u003CIconButton { ...props } \u002F>\n+\t\t\u003C\u002FBox>\n+\t\u003C\u002FTooltip>\n+);\n+\n+IconButtonWithTooltip.propTypes = {\n+\ttooltip: PropTypes.string,\n+\tdisabled: PropTypes.bool,\n+};\n+\n+const BackButton = ( props ) => (\n+\t\u003CIconButtonWithTooltip size=\"small\" color=\"secondary\" tooltip={ __( 'Back to results', 'elementor' );\n+__( 'Edit prompt', 'elementor' );\n+__( 'Generate', 'elementor' );\n+__( \"Press '\u002F' for suggested prompts or describe the layout you want to create\", 'elementor' );\n+__( 'Suggested Prompts', 'elementor' );\n+__( 'Upgrade your plan for best results.', 'elementor' );\n+__( 'You won’t be able to use layouts with Elementor Pro widgets until you do.', 'elementor' );\n+__( 'Go Pro', 'elementor' );\n+__( 'Go Pro', 'elementor' );\n+__( 'Pro', 'elementor' );\n+__( \"This result includes an Elementor Pro widget that's not available with your current plan. Upgrade to use all the widgets in this result.\", 'elementor' );\n+__( 'AI', 'elementor' );\n+__( 'Beta', 'elementor' );\n+__( 'Reference a website', 'elementor' );\n+__( 'Create variations from Template Library', 'elementor' );","The exploit targets the 'elementor_ajax' endpoint, which manages internal plugin commands. An attacker with Contributor-level access must first obtain a valid AJAX nonce, typically available via the 'elementorCommon.config.ajax.nonce' global variable in the admin dashboard. The attacker then sends a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the 'actions' parameter containing a JSON-encoded payload. This payload specifies a restricted sub-command (e.g., 'delete_all_content' or 'get_remote_template_content') and its associated data (like a target Post ID). Because the plugin's server-side logic fails to verify if the requesting user has the required capabilities for that specific sub-action, the command is executed with administrative privileges.","gemini-3-flash-preview","2026-06-26 06:05:13","2026-06-26 06:06:34",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","4.1.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Felementor\u002Ftags\u002F4.1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Felementor.4.1.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Felementor\u002Ftags\u002F4.1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Felementor.4.1.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Felementor\u002Ftags"]