Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
wp_ajax_nopriv_* registration requires PR:N; sidebar deletion causing silent widget rendering failure warrants A:L over the NVD-assigned A:N.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Premium Addons for KingComposer plugin for WordPress is vulnerable to unauthorized modification and loss of data in versions up to, and including, 1.1.1. This is due to missing authorization and capability checks on the add_custom_sidebar() and remove_custom_sidebar() AJAX handlers, both of which are exposed through wp_ajax_nopriv_* hooks and write directly to the octagon_custom_sidebar option via update_option(). This makes it possible for unauthenticated attackers to create arbitrary custom widget areas or delete existing custom sidebars, which can cause widgets assigned to those areas to silently lose their registration and stop rendering.
AnalysisAI
Unauthenticated sidebar manipulation in the Premium Addons for KingComposer WordPress plugin (versions up to and including 1.1.1) allows any remote attacker to create arbitrary custom widget areas or permanently delete existing ones without any credentials. The root cause is that the AJAX handlers add_custom_sidebar() and remove_custom_sidebar() are registered under wp_ajax_nopriv_* hooks with no authorization or capability checks, granting public HTTP access to options-table writes via update_option(). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Both vulnerable AJAX actions are registered exclusively under wp_ajax_nopriv_* hooks, meaning WordPress itself performs no authentication check before dispatching the request - no special configuration is required to reach these handlers. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) reflects a low-complexity, network-accessible, unauthenticated attack with narrow integrity impact and no confidentiality consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends an unauthenticated HTTP POST request to https://target-site.example/wp-admin/admin-ajax.php with the body action=remove_custom_sidebar&sidebar_id=<id>, requiring no session token, nonce, or credentials. The request passes directly into remove_custom_sidebar() in class-sidebar.php, which deletes the targeted sidebar from the octagon_custom_sidebar option, causing all widgets registered to that area to silently lose their rendering context. … |
| Remediation | No vendor-released patch with a confirmed fix version has been identified in the available data - patch availability is unknown at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40252
GHSA-7m2v-4f6c-h555