Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in Wpmet ElementsKit Elementor addons Lite allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects ElementsKit Elementor addons Lite: from n/a through 3.9.6.
AnalysisAI
Missing authorization in Wpmet's ElementsKit Elementor addons Lite plugin for WordPress (versions through 3.9.6) permits authenticated low-privilege users to invoke privileged plugin functionality without proper access control verification. The CVSS vector (PR:L, I:L) confirms the attack requires a valid low-privilege WordPress account - such as a Subscriber - but grants unintended write-level access to restricted plugin operations. No public exploit code and no CISA KEV listing have been identified at time of analysis, keeping real-world risk moderate; however, the network-accessible, low-complexity nature of the flaw means any authenticated user on an affected installation is a potential threat actor.
Technical ContextAI
ElementsKit Elementor addons Lite is a widely deployed WordPress plugin by Wpmet that extends the Elementor page builder with additional widgets and features. The root cause is classified as CWE-862 (Missing Authorization) - a class of flaw where server-side code performs an action in response to a request without first verifying that the requester holds the required capability or role. In WordPress, proper authorization checks are implemented via functions such as current_user_can() tied to nonce verification; when these checks are absent or improperly scoped in AJAX handlers or REST endpoints, lower-privileged roles can reach functionality intended only for editors, admins, or other elevated roles. The tag 'Authentication Bypass' indicates the access control boundary between user roles is effectively bypassed, rather than authentication itself being circumvented.
RemediationAI
WordPress site administrators should update ElementsKit Elementor addons Lite to a version above 3.9.6 immediately via the WordPress plugin dashboard or by downloading directly from the WordPress plugin repository. The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/elementskit-lite/vulnerability/wordpress-elementskit-elementor-addons-lite-plugin-3-9-6-broken-access-control-vulnerability should be consulted for the confirmed patched release version, as the exact fix version was not independently confirmed from the available input data. If an immediate upgrade is not possible, restrict new user registrations and review existing Subscriber-level accounts on the affected installation to limit the pool of potential exploiters. Additionally, a Web Application Firewall (WAF) rule targeting unauthorized AJAX or REST requests to ElementsKit endpoints can serve as a compensating control, though this may inadvertently block legitimate plugin functionality - test in staging before applying to production.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32543
GHSA-cf5w-c59m-3p6w