Skip to main content

Envo Elementor for WooCommerce CVE-2026-11600

| EUVDEUVD-2026-41244 MEDIUM
Missing Authorization (CWE-862)
2026-07-02 security@wordfence.com GHSA-cc6h-g44v-7c7v
4.3
CVSS 3.1 · Vendor: wordfence
Share

Severity by source

Vendor (wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

PR:L required because Author-level WordPress account is a prerequisite; C:L reflects disclosure limited to private Elementor post contents only.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (wordfence).

CVSS VectorVendor: wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 06:33 vuln.today
CVE Published
Jul 02, 2026 - 06:16 nvd
MEDIUM 4.3

DescriptionCVE.org

The Envo's Templates & Widgets for Elementor and WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the Envo Tabs (and Off Canvas) widget's template rendering in versions up to, and including, 1.4.26. The render() method of the Tabs widget passes a user-controlled template/post ID directly to Elementor's get_builder_content_for_display() without verifying the referenced post's status (published/private/draft) or the visitor's authorization to view it. This makes it possible for authenticated attackers, with Author-level access and above, to disclose the contents of private Elementor-driven pages and templates to anonymous visitors by configuring an Envo Tabs widget on a public post to reference the private content's ID (which can be supplied by editing the underlying Elementor widget JSON via the Elementor editor REST API).

AnalysisAI

Private content disclosure in the Envo's Templates & Widgets for Elementor and WooCommerce WordPress plugin (versions up to and including 1.4.26) allows authenticated attackers with Author-level access to expose private or draft Elementor-rendered pages and templates to anonymous visitors. The flaw is rooted in the Tabs and Off Canvas widgets passing a user-supplied post ID directly to Elementor's get_builder_content_for_display() without any post-status or capability check, meaning the rendered output of restricted content is served publicly once an Author configures the widget. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain or compromise WordPress Author-level account
Delivery
Open Elementor editor on a public post
Exploit
Configure Envo Tabs widget with target private post ID
Install
Save widget configuration via Elementor REST API
C2
Anonymous visitor loads the public post
Execute
Plugin render() passes private post ID to get_builder_content_for_display()
Impact
Private content disclosed to unauthenticated visitor

Vulnerability AssessmentAI

Exploitation Exploitation requires an attacker to hold at minimum a WordPress Author-level role on the target site, which is a prerequisite for accessing the Elementor editor and configuring widget parameters. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (score 4.3) accurately reflects the real-world risk profile: network-exploitable, low complexity, but gated behind an authenticated Author-level account with no scope change and confidentiality-only impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a legitimate WordPress Author account opens the Elementor editor on any publicly accessible post, inserts an Envo Tabs widget, and sets its template ID parameter to the numeric ID of a known or enumerated private page - such as an unreleased product announcement, internal policy document, or draft contract - using the Elementor widget JSON via the REST API. Once the public post is saved and visited by any anonymous user, the plugin renders and serves the full content of the private page without any authorization check. …
Remediation Update the Envo's Templates & Widgets for Elementor and WooCommerce plugin to the version released at or after SVN changeset 3578489; consult the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/26100f1f-3224-486c-b4f9-7086d405a883 for the confirmed patched version number, as it was not independently verifiable from the available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-11600 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy