Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in Wpmet ElementsKit Elementor addons Lite allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects ElementsKit Elementor addons Lite: from n/a through 3.9.6.
AnalysisAI
Missing authorization in ElementsKit Elementor addons Lite (WordPress plugin by Wpmet) through version 3.9.6 allows unauthenticated remote attackers to exploit incorrectly configured access control, resulting in limited unauthorized read access to protected data or functionality. The CVSS vector confirms network-based, zero-interaction exploitation with no authentication required, and SSVC classifies it as automatable - meaning attackers can scan and exploit at scale without manual intervention. No public exploit or CISA KEV listing exists at time of analysis, but the unauthenticated, low-complexity nature of the flaw makes it a realistic target for automated WordPress scanning campaigns.
Technical ContextAI
ElementsKit Elementor addons Lite is a widely-used WordPress page builder plugin developed by Wpmet, extending Elementor with additional widgets and design elements. The root cause is CWE-862 (Missing Authorization): one or more plugin endpoints - likely WordPress AJAX actions or REST API routes - fail to perform capability checks before executing privileged operations, allowing any HTTP client to invoke restricted functionality. This is a systemic pattern in WordPress plugin development where developers register action hooks without pairing them with current_user_can() or equivalent nonce/capability validation. The CVSS impact metrics (C:L/I:N/A:N) indicate the exposed functionality leaks sensitive information but does not allow modification or denial of service. Affected scope is limited to versions n/a through 3.9.6 per EUVD-2026-32545.
RemediationAI
Upgrade ElementsKit Elementor addons Lite to a version above 3.9.6. An exact patched version number was not confirmed in the available intelligence - the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/elementskit-lite/vulnerability/wordpress-elementskit-elementor-addons-lite-plugin-3-9-6-broken-access-control-vulnerability-2 and the WordPress plugin repository should be consulted for the specific fixed release. If an immediate upgrade is not possible, the most actionable compensating control is to restrict access to the WordPress admin AJAX endpoint (wp-admin/admin-ajax.php) and any REST API routes registered by ElementsKit to authenticated sessions only via a Web Application Firewall (WAF) or server-level rule - note this may break front-end widget functionality that depends on unauthenticated AJAX. Disabling the ElementsKit plugin entirely until patching is feasible eliminates exposure with no partial-fix side effects. Additional reference available at VulDB entry 366386: https://vuldb.com/vuln/366386
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32545
GHSA-4fvr-xj2h-j282