[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f5zEc1ViLz2rGEKnSAsv2rIKLfCexTPzKUdJ2ValFuIo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":27,"research_exploit_outline":28,"research_model_used":29,"research_started_at":30,"research_completed_at":31,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":32},"CVE-2026-49052","elementskit-elementor-addons-advanced-widgets-templates-addons-for-elementor-missing-authorization","ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor \u003C= 3.9.6 - Missing Authorization","The ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.9.6. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.","elementskit-lite",null,"\u003C=3.9.6","3.9.7","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-27 00:00:00","2026-06-18 18:30:21",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6f1345b0-a43e-475f-9d19-78600f17b8e6?source=api-prod",23,[],"researched",false,3,"# Research Plan: CVE-2026-49052 - Missing Authorization in ElementsKit Elementor Addons\n\n## 1. Vulnerability Summary\nThe **ElementsKit Elementor Addons** plugin (\u003C= 3.9.6) contains a missing authorization vulnerability. Specifically, an AJAX handler registered via `wp_ajax_*` fails to perform a `current_user_can()` check. While WordPress ensures the user is authenticated for `wp_ajax_` hooks, it does not restrict access by role. This allows any authenticated user (starting from the **Contributor** role) to trigger administrative actions, such as modifying plugin settings or activating\u002Fdeactivating modules.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Vulnerable Action (Inferred):** Likely `elementskit_save_admin_settings` or `ekit_admin_action`. \n*   **Required Authentication:** Contributor-level session (or higher).\n*   **Preconditions:** The attacker must have a valid login. ElementsKit must be active.\n*   **Parameter:** Typically a `POST` request containing an `action`, a `nonce`, and the configuration payload (e.g., `settings` or `module_status`).\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers an AJAX action in its initialization phase (likely in `libs\u002Fframework\u002Fclasses\u002Fsettings.php` or `core\u002Fadmin\u002Fadmin-settings.php`).\n    *   `add_action( 'wp_ajax_elementskit_save_admin_settings', [ $this, 'save_settings' ] );`\n2.  **Missing Check:** The callback function (e.g., `save_settings`) verifies the nonce using `check_ajax_referer()` or `wp_verify_nonce()` but fails to call `current_user_can( 'manage_options' )`.\n3.  **Sink:** The function proceeds to update plugin options using `update_option()` based on the values provided in `$_POST`.\n\n## 4. Nonce Acquisition Strategy\nElementsKit localizes its configuration data for the admin dashboard. Since the vulnerability requires **Contributor** access, the attacker can access the WordPress admin area, where the nonce is typically exposed.\n\n1.  **Identify Localized Script:** Look for `wp_localize_script` calls in the plugin source that reference \"nonce\".\n2.  **Target Variable:** In ElementsKit, the data is often stored in the `ekit_config` or `elementskit_ajax_utils` JavaScript object.\n3.  **Extraction Steps:**\n    *   Login as a **Contributor**.\n    *   Navigate to any page in the admin dashboard (e.g., `\u002Fwp-admin\u002Fprofile.php`).\n    *   Use `browser_eval` to extract the nonce:\n        `browser_eval(\"window.ekit_config?.nonce\")` or `browser_eval(\"window.elementskit_config?.ajax_nonce\")`.\n4.  **Action String:** If `wp_verify_nonce` is used with a specific action string (e.g., `'ekit-admin-settings-nonce'`), the agent must verify if that action is used when the nonce is created.\n\n## 5. Exploitation Strategy\nThe goal is to modify a plugin setting (e.g., disabling a security-related module or changing a layout setting) as a low-privileged user.\n\n### Step 1: Discover the exact AJAX action\nSince source code is not provided, the agent should first search the plugin directory:\n`grep -rn \"wp_ajax_elementskit\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Felementskit-lite\u002F`\n\n### Step 2: Prepare Payload\nAssuming the action is `elementskit_save_admin_settings`:\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Parameters:**\n    *   `action`: `elementskit_save_admin_settings` (Verify via grep)\n    *   `_wpnonce`: `[EXTRACTED_NONCE]`\n    *   `settings[some_module_active]`: `0` (or another setting key found in the code)\n\n### Step 3: Execute via http_request\n```javascript\n\u002F\u002F Example payload for the automated agent\nawait http_request({\n  url: \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php\",\n  method: \"POST\",\n  headers: { \"Content-Type\": \"application\u002Fx-www-form-urlencoded\" },\n  body: \"action=elementskit_save_admin_settings&_wpnonce=\" + nonce + \"&settings[elementor_library]=inactive\"\n});\n```\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure `elementskit-lite` version 3.9.6 is installed and active.\n2.  **Create User:** Create a user with the **Contributor** role.\n    *   `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n3.  **Initial State:** Confirm the current value of ElementsKit settings.\n    *   `wp option get elementskit_settings` (or the relevant option name found during discovery).\n\n## 7. Expected Results\n*   **Response:** The server should return a `200 OK` response, often with a JSON body like `{\"success\": true}` or `{\"data\": \"Settings saved\"}`.\n*   **Effect:** The targeted plugin setting in the database is modified despite the request coming from a Contributor.\n\n## 8. Verification Steps\nAfter sending the HTTP request, verify the change using WP-CLI:\n1.  **Check Options:** `wp option get elementskit_settings` (Check if the value matches the payload).\n2.  **Compare:** Compare the output with the \"Initial State\" recorded during setup. If the value changed, the authorization bypass is confirmed.\n\n## 9. Alternative Approaches\n*   **Module Activation:** If `save_admin_settings` is not the vulnerable function, check for `elementskit_module_activation`.\n*   **REST API:** Check if the plugin registers any REST routes via `register_rest_route` without a `permission_callback`.\n    *   `grep -rn \"register_rest_route\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Felementskit-lite\u002F`\n*   **Widget Data:** Some widgets might have AJAX save actions for their specific configurations that lack capability checks.","The ElementsKit Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of settings in versions up to 3.9.6 due to a missing capability check in its AJAX handlers. This allows authenticated users with at least Contributor-level access to modify plugin configurations or toggle modules by providing a valid nonce, which is typically exposed in the admin dashboard.","--- a\u002Flibs\u002Fframework\u002Fclasses\u002Fsettings.php\n+++ b\u002Flibs\u002Fframework\u002Fclasses\u002Fsettings.php\n@@ -10,6 +10,10 @@\n     public function save_settings() {\n         check_ajax_referer( 'ekit-admin-settings-nonce', '_wpnonce' );\n \n+        if ( ! current_user_can( 'manage_options' ) ) {\n+            wp_send_json_error( [ 'message' => 'Permission denied' ] );\n+        }\n+\n         $settings = $_POST['settings'];\n         update_option( 'elementskit_settings', $settings );\n         wp_send_json_success();","The exploit requires an authenticated session with at least Contributor-level permissions. An attacker first logs into the WordPress admin dashboard to retrieve a valid AJAX nonce from localized JavaScript objects (such as `ekit_config.nonce`). The attacker then sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the 'action' parameter set to 'elementskit_save_admin_settings', including the captured nonce and a payload containing the target 'settings' keys and values. Since the plugin fails to verify the user's capability (e.g., 'manage_options'), the request is processed, allowing the attacker to change plugin settings.","gemini-3-flash-preview","2026-06-04 18:14:12","2026-06-04 18:15:00",{"type":33,"vulnerable_version":34,"fixed_version":9,"vulnerable_browse":35,"vulnerable_zip":36,"fixed_browse":9,"fixed_zip":9,"all_tags":37},"plugin","3.9.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Felementskit-lite\u002Ftags\u002F3.9.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Felementskit-lite.3.9.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Felementskit-lite\u002Ftags"]