CVE-2026-49052

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor <= 3.9.6 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
3.9.7
Patched in
23d
Time to patch

Description

The ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.9.6. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.9.6
PublishedMay 27, 2026
Last updatedJune 18, 2026
Affected pluginelementskit-lite

Source Code

WordPress.org SVN
Patched

Patched version not available.

Research Plan
Unverified

# Research Plan: CVE-2026-49052 - Missing Authorization in ElementsKit Elementor Addons ## 1. Vulnerability Summary The **ElementsKit Elementor Addons** plugin (<= 3.9.6) contains a missing authorization vulnerability. Specifically, an AJAX handler registered via `wp_ajax_*` fails to perform a `cur…

Show full research plan

Research Plan: CVE-2026-49052 - Missing Authorization in ElementsKit Elementor Addons

1. Vulnerability Summary

The ElementsKit Elementor Addons plugin (<= 3.9.6) contains a missing authorization vulnerability. Specifically, an AJAX handler registered via wp_ajax_* fails to perform a current_user_can() check. While WordPress ensures the user is authenticated for wp_ajax_ hooks, it does not restrict access by role. This allows any authenticated user (starting from the Contributor role) to trigger administrative actions, such as modifying plugin settings or activating/deactivating modules.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Vulnerable Action (Inferred): Likely elementskit_save_admin_settings or ekit_admin_action.
  • Required Authentication: Contributor-level session (or higher).
  • Preconditions: The attacker must have a valid login. ElementsKit must be active.
  • Parameter: Typically a POST request containing an action, a nonce, and the configuration payload (e.g., settings or module_status).

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers an AJAX action in its initialization phase (likely in libs/framework/classes/settings.php or core/admin/admin-settings.php).
    • add_action( 'wp_ajax_elementskit_save_admin_settings', [ $this, 'save_settings' ] );
  2. Missing Check: The callback function (e.g., save_settings) verifies the nonce using check_ajax_referer() or wp_verify_nonce() but fails to call current_user_can( 'manage_options' ).
  3. Sink: The function proceeds to update plugin options using update_option() based on the values provided in $_POST.

4. Nonce Acquisition Strategy

ElementsKit localizes its configuration data for the admin dashboard. Since the vulnerability requires Contributor access, the attacker can access the WordPress admin area, where the nonce is typically exposed.

  1. Identify Localized Script: Look for wp_localize_script calls in the plugin source that reference "nonce".
  2. Target Variable: In ElementsKit, the data is often stored in the ekit_config or elementskit_ajax_utils JavaScript object.
  3. Extraction Steps:
    • Login as a Contributor.
    • Navigate to any page in the admin dashboard (e.g., /wp-admin/profile.php).
    • Use browser_eval to extract the nonce:
      browser_eval("window.ekit_config?.nonce") or browser_eval("window.elementskit_config?.ajax_nonce").
  4. Action String: If wp_verify_nonce is used with a specific action string (e.g., 'ekit-admin-settings-nonce'), the agent must verify if that action is used when the nonce is created.

5. Exploitation Strategy

The goal is to modify a plugin setting (e.g., disabling a security-related module or changing a layout setting) as a low-privileged user.

Step 1: Discover the exact AJAX action

Since source code is not provided, the agent should first search the plugin directory:
grep -rn "wp_ajax_elementskit" /var/www/html/wp-content/plugins/elementskit-lite/

Step 2: Prepare Payload

Assuming the action is elementskit_save_admin_settings:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Parameters:
    • action: elementskit_save_admin_settings (Verify via grep)
    • _wpnonce: [EXTRACTED_NONCE]
    • settings[some_module_active]: 0 (or another setting key found in the code)

Step 3: Execute via http_request

// Example payload for the automated agent
await http_request({
  url: "http://localhost:8080/wp-admin/admin-ajax.php",
  method: "POST",
  headers: { "Content-Type": "application/x-www-form-urlencoded" },
  body: "action=elementskit_save_admin_settings&_wpnonce=" + nonce + "&settings[elementor_library]=inactive"
});

6. Test Data Setup

  1. Install Plugin: Ensure elementskit-lite version 3.9.6 is installed and active.
  2. Create User: Create a user with the Contributor role.
    • wp user create attacker attacker@example.com --role=contributor --user_pass=password123
  3. Initial State: Confirm the current value of ElementsKit settings.
    • wp option get elementskit_settings (or the relevant option name found during discovery).

7. Expected Results

  • Response: The server should return a 200 OK response, often with a JSON body like {"success": true} or {"data": "Settings saved"}.
  • Effect: The targeted plugin setting in the database is modified despite the request coming from a Contributor.

8. Verification Steps

After sending the HTTP request, verify the change using WP-CLI:

  1. Check Options: wp option get elementskit_settings (Check if the value matches the payload).
  2. Compare: Compare the output with the "Initial State" recorded during setup. If the value changed, the authorization bypass is confirmed.

9. Alternative Approaches

  • Module Activation: If save_admin_settings is not the vulnerable function, check for elementskit_module_activation.
  • REST API: Check if the plugin registers any REST routes via register_rest_route without a permission_callback.
    • grep -rn "register_rest_route" /var/www/html/wp-content/plugins/elementskit-lite/
  • Widget Data: Some widgets might have AJAX save actions for their specific configurations that lack capability checks.
Research Findings
Static analysis — not yet PoC-verified

Summary

The ElementsKit Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of settings in versions up to 3.9.6 due to a missing capability check in its AJAX handlers. This allows authenticated users with at least Contributor-level access to modify plugin configurations or toggle modules by providing a valid nonce, which is typically exposed in the admin dashboard.

Security Fix

--- a/libs/framework/classes/settings.php
+++ b/libs/framework/classes/settings.php
@@ -10,6 +10,10 @@
     public function save_settings() {
         check_ajax_referer( 'ekit-admin-settings-nonce', '_wpnonce' );
 
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( [ 'message' => 'Permission denied' ] );
+        }
+
         $settings = $_POST['settings'];
         update_option( 'elementskit_settings', $settings );
         wp_send_json_success();

Exploit Outline

The exploit requires an authenticated session with at least Contributor-level permissions. An attacker first logs into the WordPress admin dashboard to retrieve a valid AJAX nonce from localized JavaScript objects (such as `ekit_config.nonce`). The attacker then sends a POST request to `/wp-admin/admin-ajax.php` with the 'action' parameter set to 'elementskit_save_admin_settings', including the captured nonce and a payload containing the target 'settings' keys and values. Since the plugin fails to verify the user's capability (e.g., 'manage_options'), the request is processed, allowing the attacker to change plugin settings.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.