CVE-2026-4362
Unauthenticated Data Modification in ElementsKit Elementor Addons
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpmet | elementskit_elementor_addons | to 3.8.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The ElementsKit Elementor Addons plugin for WordPress has a vulnerability in the Live_Action::reset() function due to a missing capability check. This function is triggered during the WordPress init action when specific GET parameters (post and action=elementor) are present. Because there is no authentication or nonce verification, an unauthenticated attacker can exploit this by visiting a specially crafted URL.
This allows the attacker to overwrite the Elementor content (_elementor_data) of any elementskit_widget custom post type, permanently replacing the widget's custom designs, text, and configurations with a blank template.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized modification of website content created with the ElementsKit Elementor Addons plugin. An attacker can erase or replace custom widget designs, text, and configurations, potentially causing loss of important content and disruption of website functionality.
Such unauthorized changes can damage the website's appearance and user experience, possibly leading to reputational harm and operational issues.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests for the presence of both 'post' and 'action=elementor' GET parameters targeting the WordPress site. Specifically, requests that trigger the Live_Action::reset() function without proper authentication or nonce verification indicate potential exploitation attempts.
You can use network monitoring tools or web server logs to search for URLs containing these parameters. For example, using command-line tools on the server hosting WordPress:
- grep -i 'action=elementor' /path/to/access.log | grep -i 'post='
- Use tools like tcpdump or Wireshark to filter HTTP GET requests containing 'action=elementor' and 'post' parameters.
- Check for unexpected modifications to the '_elementor_data' field in the 'elementskit_widget' custom post types in the WordPress database.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the ElementsKit Elementor Addons plugin to a version later than 3.8.2 where this vulnerability is fixed.
If an update is not immediately possible, restrict access to the WordPress site or specifically block HTTP requests containing both 'post' and 'action=elementor' GET parameters using a web application firewall (WAF) or server-level rules.
Additionally, monitor your site for unauthorized changes to Elementor content and restore from backups if necessary.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to modify Elementor content by overwriting custom post type data without authorization. Such unauthorized data modification can lead to integrity and availability issues of website content.
While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, unauthorized modification of data could potentially violate data integrity and security requirements mandated by these regulations, especially if personal or sensitive data is affected.
Organizations using the vulnerable plugin should consider this risk in their compliance assessments and apply necessary patches or mitigations to maintain compliance.