ElementsKit Elementor Addons <= 3.8.2 - Missing Authorization to Unauthenticated Widget Content Overwrite
Description
The ElementsKit Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `Live_Action::reset()` function in all versions up to, and including, 3.8.2 The function is hooked to the WordPress `init` action and triggers when both `post` and `action=elementor` GET parameters are present, with no authentication or nonce verification. This makes it possible for unauthenticated attackers to overwrite the Elementor content (`_elementor_data`) of any `elementskit_widget` custom post type by visiting a specially crafted URL. The widget's custom designs, text, and configurations are permanently replaced with a blank template.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:LTechnical Details
What Changed in the Fix
Changes introduced in v3.9.0
Source Code
WordPress.org SVNThis research plan outlines the steps required to demonstrate the Missing Authorization vulnerability in the ElementsKit Elementor Addons plugin (CVE-2026-4362). ### 1. Vulnerability Summary The ElementsKit Elementor Addons plugin (specifically the Lite version up to 3.8.2) contains a flaw in its `…
Show full research plan
This research plan outlines the steps required to demonstrate the Missing Authorization vulnerability in the ElementsKit Elementor Addons plugin (CVE-2026-4362).
1. Vulnerability Summary
The ElementsKit Elementor Addons plugin (specifically the Lite version up to 3.8.2) contains a flaw in its Live_Action::reset() function. This function is designed to reset the Elementor layout data for custom widget templates. However, the function is hooked to the global init action and executes based on the presence of common GET parameters (post and action=elementor) without verifying the user's identity or checking for a security nonce. This allows an unauthenticated attacker to permanently delete the layout configuration (_elementor_data) of any post of the type elementskit_widget, effectively breaking the custom widget designs.
2. Attack Vector Analysis
- Endpoint: The root site URL (the function is hooked to
init). - Target Hook:
init - Vulnerable Function:
ElementsKit_Lite\Modules\Widget_Builder\Live_Action::reset(inferred module path based on post type). - Parameters:
post(GET): The ID of theelementskit_widgetto target.action(GET): Must be set toelementor.
- Authentication: None (Unauthenticated).
- Preconditions: An
elementskit_widgetcustom post type must exist on the site.
3. Code Flow
- During WordPress initialization,
ElementsKit_Lite\Core\Build_Modules(seecore/build-modules.php) loads active modules. - The
Widget_Buildermodule (part of ElementsKit) initializes theLive_Actionclass. - The
Live_Actionconstructor registers a callback to theinithook. - The
initcallback checks for the presence of$_GET['post']and$_GET['action'] == 'elementor'. - If these are present, it calls
reset($_GET['post']). - The
reset()function usesupdate_post_meta($post_id, '_elementor_data', '')(or a similar empty JSON string) to clear the layout data without anycurrent_user_can()check orwp_verify_nonce()check.
4. Nonce Acquisition Strategy
Based on the vulnerability description, no nonce is required. The vulnerability exists precisely because the init hook processes these parameters globally before any authentication or nonce verification occurs in the vulnerable code path.
5. Exploitation Strategy
- Discovery: Enumerate the site for existing
elementskit_widgetIDs. These are often used for custom header/footer elements or custom widgets. - Verification of Target: Check if the post ID corresponds to an
elementskit_widgettype. - The Attack: Send a simple unauthenticated GET request to the WordPress index with the specifically crafted parameters.
HTTP Request Payload:
GET /?post=[TARGET_POST_ID]&action=elementor HTTP/1.1
Host: [TARGET_HOST]
Connection: close
Note: While action=elementor is also used by the legitimate Elementor editor, the ElementsKit hook triggers earlier or alongside it, and because it lacks auth checks, it clears the data before the user is even redirected to a login page.
6. Test Data Setup
To verify the exploit, the following environment must be prepared:
- Activate Plugin: Ensure
elementskit-liteversion 3.8.2 is installed and active. - Create Content: Use WP-CLI to create a dummy
elementskit_widget.# Create the widget post WIDGET_ID=$(wp post create --post_type=elementskit_widget --post_title="Vulnerable Widget" --post_status=publish --porcelain) # Add dummy Elementor data to simulate a complex design wp post meta update $WIDGET_ID _elementor_data '[{"id":"1","elType":"section","settings":{},"elements":[{"id":"2","elType":"column","settings":{"_column_size":100},"elements":[{"id":"3","elType":"widget","settings":{"title":"Hello World"},"widgetType":"heading"}]}]}]'
7. Expected Results
- HTTP Response: The server may return a 200 OK or a redirect to a login page (if Elementor core also attempts to handle the
action=elementor). - Database Impact: Regardless of the HTTP response status, the metadata
_elementor_datafor the targeted post ID will be overwritten with an empty value or a blank Elementor template structure.
8. Verification Steps
After sending the HTTP request, verify the damage using WP-CLI:
# Check if the _elementor_data meta key is empty or changed
wp post meta get [WIDGET_ID] _elementor_data
Success Condition: The output of the get command is empty or significantly different from the "Hello World" JSON payload injected during setup.
9. Alternative Approaches
If the action=elementor check is insufficient (e.g., if the plugin requires a specific ekit-specific parameter in some sub-versions), check for a hidden "ekit_action" parameter:
- Alternative URL:
/?post=[ID]&action=elementor&ekit_action=reset(inferred from common plugin reset patterns). - Alternative Post Type: While the description focuses on
elementskit_widget, this logic might also impactheader_footer_builderpost types if they share the same reset logic module.
Summary
The ElementsKit Elementor Addons plugin for WordPress is vulnerable to unauthenticated data modification due to a missing capability check in the Live_Action::reset() function. An attacker can overwrite and effectively delete the layout data of any 'elementskit_widget' post by providing specific GET parameters, leading to a permanent loss of widget configurations.
Security Fix
@@ -31,6 +31,11 @@ $this->modules = \ElementsKit_Lite\Config\Module_List::instance()->get_list( 'active' ); foreach ( $this->modules as $module_slug => $module ) { + // Check tier access + if ( isset( $module['tier'] ) && ! \ElementsKit_Lite\Utils::is_tier( $module['tier'] ) ) { + continue; + } + if ( isset( $module['path'] ) ) { include_once $module['path'] . 'init.php'; } ... (truncated)
Exploit Outline
An unauthenticated attacker can exploit this vulnerability by identifying a target post of the type 'elementskit_widget' and obtaining its ID. The attacker then sends a GET request to the WordPress site's root URL with the parameters 'post=[TARGET_ID]' and 'action=elementor'. Because the 'Live_Action::reset()' function is hooked to the 'init' action and lacks any 'current_user_can()' authorization or 'wp_verify_nonce()' verification, the plugin processes the request and calls 'update_post_meta' to clear the '_elementor_data' meta field for the targeted post. This action permanently deletes the Elementor configuration and layout for that widget.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.