CVE-2026-3132
Remote Code Execution in Master Addons for Elementor Plugin
Publication date: 2026-03-02
Last updated on: 2026-03-02
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| master_addons | master_addons | to 2.1.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "The Master Addons for Elementor Premium plugin for WordPress has a Remote Code Execution (RCE) vulnerability in all versions up to and including 2.1.3. This vulnerability exists in the 'JLTMA_Widget_Admin::render_preview' function due to a missing capability check."}, {'type': 'paragraph', 'content': 'Because the function does not verify user permissions properly, authenticated users with Subscriber-level access or higher can execute arbitrary code on the server.'}, {'type': 'paragraph', 'content': 'This means that attackers with low-level access can exploit this flaw to run malicious code remotely.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker with Subscriber-level access or above to execute arbitrary code on the server hosting the WordPress site.
The impact includes full compromise of the server, leading to potential data theft, site defacement, malware installation, or further attacks on the network.
The CVSS v3.1 base score of 8.8 indicates a high severity, with high impact on confidentiality, integrity, and availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability exists in the Master Addons for Elementor Premium plugin for WordPress in all versions up to and including 2.1.3. Detection involves identifying if the vulnerable plugin version is installed and if unauthorized users with Subscriber-level access or above can invoke the 'render_preview' AJAX function without proper capability checks."}, {'type': 'paragraph', 'content': "Since the vulnerability is due to missing capability checks in AJAX functions, you can detect exploitation attempts by monitoring HTTP requests to the WordPress admin AJAX endpoint that call the 'render_preview' action without proper authorization."}, {'type': 'paragraph', 'content': 'Suggested commands to detect the vulnerability or exploitation attempts include:'}, {'type': 'list_item', 'content': 'Check the installed plugin version via WP-CLI: `wp plugin list | grep master-addons` to verify if the version is 2.1.3 or below.'}, {'type': 'list_item', 'content': "Search web server logs for AJAX requests to admin-ajax.php with the 'render_preview' action: `grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'render_preview'`"}, {'type': 'list_item', 'content': 'Monitor for suspicious POST requests to admin-ajax.php from users with low privileges attempting to execute code.'}, {'type': 'paragraph', 'content': 'Note that no explicit detection commands or signatures are provided in the resources.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "The immediate mitigation step is to update the Master Addons for Elementor Premium plugin to version 2.1.4 or later, where strict capability checks and nonce verifications have been added to all AJAX functions including 'render_preview'."}, {'type': 'paragraph', 'content': "Version 2.1.4 enforces that only users with the 'manage_options' capability (typically administrators) can execute these functions, preventing authenticated users with Subscriber-level access from exploiting the vulnerability."}, {'type': 'paragraph', 'content': "If updating immediately is not possible, consider temporarily restricting access to the plugin's AJAX endpoints or limiting user roles that can access the WordPress admin area to trusted users only."}, {'type': 'paragraph', 'content': 'Additionally, monitor your logs for suspicious activity targeting the vulnerable AJAX functions and consider applying web application firewall (WAF) rules to block unauthorized requests.'}] [1]