[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fjV3P5AqrbkLEBDuEIQHURJm5MWLL2pHegUSa01adBKg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-4362","elementskit-elementor-addons-missing-authorization-to-unauthenticated-widget-content-overwrite","ElementsKit Elementor Addons \u003C= 3.8.2 - Missing Authorization to Unauthenticated Widget Content Overwrite","The ElementsKit Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `Live_Action::reset()` function in all versions up to, and including, 3.8.2 The function is hooked to the WordPress `init` action and triggers when both `post` and `action=elementor` GET parameters are present, with no authentication or nonce verification. This makes it possible for unauthenticated attackers to overwrite the Elementor content (`_elementor_data`) of any `elementskit_widget` custom post type by visiting a specially crafted URL. The widget's custom designs, text, and configurations are permanently replaced with a blank template.","elementskit-lite",null,"\u003C=3.8.2","3.9.0","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:L","Missing Authorization","2026-05-04 16:06:48","2026-05-05 04:27:57",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7740fdfb-65b2-4d27-935f-b0e73487f0c4?source=api-prod",1,[22,23,24,25,26,27,28,29],"core\u002Fbuild-modules.php","core\u002Fbuild-widgets.php","core\u002Fconfig-list.php","core\u002Feditor-promotion.php","elementskit-lite.php","helpers\u002Futils.php","languages\u002Felementskit-lite.pot","libs\u002Fframework\u002Fassets\u002Fcss\u002Fadmin-style.css","researched",false,3,"This research plan outlines the steps required to demonstrate the Missing Authorization vulnerability in the ElementsKit Elementor Addons plugin (CVE-2026-4362).\n\n### 1. Vulnerability Summary\nThe ElementsKit Elementor Addons plugin (specifically the Lite version up to 3.8.2) contains a flaw in its `Live_Action::reset()` function. This function is designed to reset the Elementor layout data for custom widget templates. However, the function is hooked to the global `init` action and executes based on the presence of common GET parameters (`post` and `action=elementor`) without verifying the user's identity or checking for a security nonce. This allows an unauthenticated attacker to permanently delete the layout configuration (`_elementor_data`) of any post of the type `elementskit_widget`, effectively breaking the custom widget designs.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** The root site URL (the function is hooked to `init`).\n*   **Target Hook:** `init`\n*   **Vulnerable Function:** `ElementsKit_Lite\\Modules\\Widget_Builder\\Live_Action::reset` (inferred module path based on post type).\n*   **Parameters:**\n    *   `post` (GET): The ID of the `elementskit_widget` to target.\n    *   `action` (GET): Must be set to `elementor`.\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** An `elementskit_widget` custom post type must exist on the site.\n\n### 3. Code Flow\n1.  During WordPress initialization, `ElementsKit_Lite\\Core\\Build_Modules` (see `core\u002Fbuild-modules.php`) loads active modules.\n2.  The `Widget_Builder` module (part of ElementsKit) initializes the `Live_Action` class.\n3.  The `Live_Action` constructor registers a callback to the `init` hook.\n4.  The `init` callback checks for the presence of `$_GET['post']` and `$_GET['action'] == 'elementor'`.\n5.  If these are present, it calls `reset($_GET['post'])`.\n6.  The `reset()` function uses `update_post_meta($post_id, '_elementor_data', '')` (or a similar empty JSON string) to clear the layout data without any `current_user_can()` check or `wp_verify_nonce()` check.\n\n### 4. Nonce Acquisition Strategy\nBased on the vulnerability description, **no nonce is required**. The vulnerability exists precisely because the `init` hook processes these parameters globally before any authentication or nonce verification occurs in the vulnerable code path.\n\n### 5. Exploitation Strategy\n1.  **Discovery:** Enumerate the site for existing `elementskit_widget` IDs. These are often used for custom header\u002Ffooter elements or custom widgets.\n2.  **Verification of Target:** Check if the post ID corresponds to an `elementskit_widget` type.\n3.  **The Attack:** Send a simple unauthenticated GET request to the WordPress index with the specifically crafted parameters.\n\n**HTTP Request Payload:**\n```http\nGET \u002F?post=[TARGET_POST_ID]&action=elementor HTTP\u002F1.1\nHost: [TARGET_HOST]\nConnection: close\n```\n\n*Note: While `action=elementor` is also used by the legitimate Elementor editor, the ElementsKit hook triggers earlier or alongside it, and because it lacks auth checks, it clears the data before the user is even redirected to a login page.*\n\n### 6. Test Data Setup\nTo verify the exploit, the following environment must be prepared:\n1.  **Activate Plugin:** Ensure `elementskit-lite` version 3.8.2 is installed and active.\n2.  **Create Content:** Use WP-CLI to create a dummy `elementskit_widget`.\n    ```bash\n    # Create the widget post\n    WIDGET_ID=$(wp post create --post_type=elementskit_widget --post_title=\"Vulnerable Widget\" --post_status=publish --porcelain)\n    \n    # Add dummy Elementor data to simulate a complex design\n    wp post meta update $WIDGET_ID _elementor_data '[{\"id\":\"1\",\"elType\":\"section\",\"settings\":{},\"elements\":[{\"id\":\"2\",\"elType\":\"column\",\"settings\":{\"_column_size\":100},\"elements\":[{\"id\":\"3\",\"elType\":\"widget\",\"settings\":{\"title\":\"Hello World\"},\"widgetType\":\"heading\"}]}]}]'\n    ```\n\n### 7. Expected Results\n*   **HTTP Response:** The server may return a 200 OK or a redirect to a login page (if Elementor core also attempts to handle the `action=elementor`).\n*   **Database Impact:** Regardless of the HTTP response status, the metadata `_elementor_data` for the targeted post ID will be overwritten with an empty value or a blank Elementor template structure.\n\n### 8. Verification Steps\nAfter sending the HTTP request, verify the damage using WP-CLI:\n```bash\n# Check if the _elementor_data meta key is empty or changed\nwp post meta get [WIDGET_ID] _elementor_data\n```\n**Success Condition:** The output of the `get` command is empty or significantly different from the \"Hello World\" JSON payload injected during setup.\n\n### 9. Alternative Approaches\nIf the `action=elementor` check is insufficient (e.g., if the plugin requires a specific ekit-specific parameter in some sub-versions), check for a hidden \"ekit_action\" parameter:\n*   **Alternative URL:** `\u002F?post=[ID]&action=elementor&ekit_action=reset` (inferred from common plugin reset patterns).\n*   **Alternative Post Type:** While the description focuses on `elementskit_widget`, this logic might also impact `header_footer_builder` post types if they share the same reset logic module.","The ElementsKit Elementor Addons plugin for WordPress is vulnerable to unauthenticated data modification due to a missing capability check in the Live_Action::reset() function. An attacker can overwrite and effectively delete the layout data of any 'elementskit_widget' post by providing specific GET parameters, leading to a permanent loss of widget configurations.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Felementskit-lite\u002F3.8.2\u002Fcore\u002Fbuild-modules.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Felementskit-lite\u002F3.9.0\u002Fcore\u002Fbuild-modules.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Felementskit-lite\u002F3.8.2\u002Fcore\u002Fbuild-modules.php\t2022-05-18 16:49:00.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Felementskit-lite\u002F3.9.0\u002Fcore\u002Fbuild-modules.php\t2026-04-06 06:56:24.000000000 +0000\n@@ -31,6 +31,11 @@\n \t\t$this->modules = \\ElementsKit_Lite\\Config\\Module_List::instance()->get_list( 'active' );\n \n \t\tforeach ( $this->modules as $module_slug => $module ) {\n+\t\t\t\u002F\u002F Check tier access\n+\t\t\tif ( isset( $module['tier'] ) && ! \\ElementsKit_Lite\\Utils::is_tier( $module['tier'] ) ) {\n+\t\t\t\tcontinue;\n+\t\t\t}\n+\n \t\t\tif ( isset( $module['path'] ) ) {\n \t\t\t\tinclude_once $module['path'] . 'init.php';\n \t\t\t}\n... (truncated)","An unauthenticated attacker can exploit this vulnerability by identifying a target post of the type 'elementskit_widget' and obtaining its ID. The attacker then sends a GET request to the WordPress site's root URL with the parameters 'post=[TARGET_ID]' and 'action=elementor'. Because the 'Live_Action::reset()' function is hooked to the 'init' action and lacks any 'current_user_can()' authorization or 'wp_verify_nonce()' verification, the plugin processes the request and calls 'update_post_meta' to clear the '_elementor_data' meta field for the targeted post. This action permanently deletes the Elementor configuration and layout for that widget.","gemini-3-flash-preview","2026-05-04 16:35:23","2026-05-04 16:35:44",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","3.8.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Felementskit-lite\u002Ftags\u002F3.8.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Felementskit-lite.3.8.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Felementskit-lite\u002Ftags\u002F3.9.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Felementskit-lite.3.9.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Felementskit-lite\u002Ftags"]