CVE-2026-4362: CWE-862 Missing Authorization in roxnor ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor
CVE-2026-4362 is a medium severity vulnerability in the ElementsKit Elementor Addons WordPress plugin up to version 3.8.2. It allows unauthenticated attackers to modify Elementor widget content by exploiting a missing authorization check in the Live_Action::reset() function. This function is triggered via specific GET parameters without authentication or nonce verification, enabling attackers to overwrite custom post type data with blank templates.
AI Analysis
Technical Summary
The ElementsKit Elementor Addons plugin for WordPress contains a missing authorization vulnerability (CWE-862) in the Live_Action::reset() function. This function is hooked to the WordPress init action and executes when both 'post' and 'action=elementor' GET parameters are present. Due to the absence of capability checks and nonce verification, unauthenticated attackers can overwrite the '_elementor_data' of any 'elementskit_widget' custom post type, permanently replacing widget designs, text, and configurations with blank templates. The vulnerability affects all versions up to and including 3.8.2.
Potential Impact
An attacker can cause unauthorized modification of Elementor widget content by resetting it to blank templates. This results in loss of custom designs, text, and configurations for the affected widgets. The vulnerability does not disclose sensitive information or allow privilege escalation but impacts data integrity and availability of widget content.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the affected plugin's functionality and monitor for suspicious requests containing 'post' and 'action=elementor' GET parameters. Avoid exposing the WordPress site to untrusted users who could exploit this vulnerability.
CVE-2026-4362: CWE-862 Missing Authorization in roxnor ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor
Description
CVE-2026-4362 is a medium severity vulnerability in the ElementsKit Elementor Addons WordPress plugin up to version 3.8.2. It allows unauthenticated attackers to modify Elementor widget content by exploiting a missing authorization check in the Live_Action::reset() function. This function is triggered via specific GET parameters without authentication or nonce verification, enabling attackers to overwrite custom post type data with blank templates.
CVSS v3.1
Score 6.5medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The ElementsKit Elementor Addons plugin for WordPress contains a missing authorization vulnerability (CWE-862) in the Live_Action::reset() function. This function is hooked to the WordPress init action and executes when both 'post' and 'action=elementor' GET parameters are present. Due to the absence of capability checks and nonce verification, unauthenticated attackers can overwrite the '_elementor_data' of any 'elementskit_widget' custom post type, permanently replacing widget designs, text, and configurations with blank templates. The vulnerability affects all versions up to and including 3.8.2.
Potential Impact
An attacker can cause unauthorized modification of Elementor widget content by resetting it to blank templates. This results in loss of custom designs, text, and configurations for the affected widgets. The vulnerability does not disclose sensitive information or allow privilege escalation but impacts data integrity and availability of widget content.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the affected plugin's functionality and monitor for suspicious requests containing 'post' and 'action=elementor' GET parameters. Avoid exposing the WordPress site to untrusted users who could exploit this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-17T20:15:55.299Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f97ad1cbff5d8610ab99d4
Added to database: 5/5/2026, 5:06:25 AM
Last enriched: 5/12/2026, 6:25:57 AM
Last updated: 6/18/2026, 8:04:08 AM
Views: 124
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.