CVE-2026-12349
Received Received - Intake

Unauthenticated Widget Area Manipulation in Premium Addons for KingComposer

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: Wordfence

Description
The Premium Addons for KingComposer plugin for WordPress is vulnerable to unauthorized modification and loss of data in versions up to, and including, 1.1.1. This is due to missing authorization and capability checks on the add_custom_sidebar() and remove_custom_sidebar() AJAX handlers, both of which are exposed through wp_ajax_nopriv_* hooks and write directly to the octagon_custom_sidebar option via update_option(). This makes it possible for unauthenticated attackers to create arbitrary custom widget areas or delete existing custom sidebars, which can cause widgets assigned to those areas to silently lose their registration and stop rendering.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-12349
EUVD
EUVD-2026-40252

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
premium_addons kingcomposer to 1.1.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Premium Addons for KingComposer plugin for WordPress has a vulnerability in versions up to and including 1.1.1. This vulnerability arises because the plugin lacks proper authorization and capability checks on two AJAX handlers: add_custom_sidebar() and remove_custom_sidebar(). These handlers are accessible via wp_ajax_nopriv_* hooks, allowing unauthenticated attackers to invoke them.

As a result, attackers can create arbitrary custom widget areas or delete existing custom sidebars by directly modifying the octagon_custom_sidebar option through update_option().

This unauthorized modification can cause widgets assigned to those custom sidebars to lose their registration silently and stop rendering on the website.

Impact Analysis

This vulnerability allows unauthenticated attackers to modify or delete custom widget areas on a WordPress site using the Premium Addons for KingComposer plugin.

The impact includes loss of data integrity for widget areas, as widgets assigned to deleted or altered sidebars will stop rendering without notice.

While this does not directly affect confidentiality or availability, it can degrade the user experience and site functionality by causing parts of the site to appear broken or incomplete.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12349. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart