CVE-2026-4362
MEDIUM
NVD
CVSS Score
6.5
Severity
MEDIUM
Published
May 05, 2026
Vendor
unknown
Description
The ElementsKit Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `Live_Action::reset()` function in all versions up to, and including, 3.8.2 The function is hooked to the WordPress `init` action and triggers when both `post` and `action=elementor` GET parameters are present, with no authentication or nonce verification. This makes it possible for unauthenticated attackers to overwrite the Elementor content (`_elementor_data`) of any `elementskit_widget` custom post type by visiting a specially crafted URL. The widget's custom designs, text, and configurations are permanently replaced with a blank template.
References
- https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.8.0/modules/widget-builder/init.php#L37
- https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.8.0/modules/widget-builder/live-action.php#L10
- https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.8.0/modules/widget-builder/live-action.php#L27
- https://plugins.trac.wordpress.org/changeset/3499543/elementskit-lite/trunk/modules/widget-builder/live-action.php
- https://plugins.trac.wordpress.org/changeset?old_path=%2Felementskit-lite/tags/3.8.2&new_path=%2Felementskit-lite/tags/3.9.0