CVE-2026-4362

Summary

The ElementsKit Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Live_Action::reset() function in all versions up to, and including, 3.8.2 The function is hooked to the WordPress init action and triggers when both post and action=elementor GET parameters are present, with no authentication or nonce verification. This makes it possible for unauthenticated attackers to overwrite the Elementor content (_elementor_data) of any elementskit_widget custom post type by visiting a specially crafted URL. The widget's custom designs, text, and configurations are permanently replaced with a blank template.

Affected Software

VendorProductVersion RangeStatus
roxnorElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor0 <= 3.8.2affected

Weaknesses

  • CWE-862: CWE-862 Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References