Skip to main content

ElementsKit Lite EUVDEUVD-2026-32545

| CVE-2026-49053 MEDIUM
Missing Authorization (CWE-862)
2026-05-27 audit@patchstack.com GHSA-4fvr-xj2h-j282
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:10 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Wpmet ElementsKit Elementor addons Lite allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects ElementsKit Elementor addons Lite: from n/a through 3.9.6.

AnalysisAI

Missing authorization in ElementsKit Elementor addons Lite (WordPress plugin by Wpmet) through version 3.9.6 allows unauthenticated remote attackers to exploit incorrectly configured access control, resulting in limited unauthorized read access to protected data or functionality. The CVSS vector confirms network-based, zero-interaction exploitation with no authentication required, and SSVC classifies it as automatable - meaning attackers can scan and exploit at scale without manual intervention. No public exploit or CISA KEV listing exists at time of analysis, but the unauthenticated, low-complexity nature of the flaw makes it a realistic target for automated WordPress scanning campaigns.

Technical ContextAI

ElementsKit Elementor addons Lite is a widely-used WordPress page builder plugin developed by Wpmet, extending Elementor with additional widgets and design elements. The root cause is CWE-862 (Missing Authorization): one or more plugin endpoints - likely WordPress AJAX actions or REST API routes - fail to perform capability checks before executing privileged operations, allowing any HTTP client to invoke restricted functionality. This is a systemic pattern in WordPress plugin development where developers register action hooks without pairing them with current_user_can() or equivalent nonce/capability validation. The CVSS impact metrics (C:L/I:N/A:N) indicate the exposed functionality leaks sensitive information but does not allow modification or denial of service. Affected scope is limited to versions n/a through 3.9.6 per EUVD-2026-32545.

RemediationAI

Upgrade ElementsKit Elementor addons Lite to a version above 3.9.6. An exact patched version number was not confirmed in the available intelligence - the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/elementskit-lite/vulnerability/wordpress-elementskit-elementor-addons-lite-plugin-3-9-6-broken-access-control-vulnerability-2 and the WordPress plugin repository should be consulted for the specific fixed release. If an immediate upgrade is not possible, the most actionable compensating control is to restrict access to the WordPress admin AJAX endpoint (wp-admin/admin-ajax.php) and any REST API routes registered by ElementsKit to authenticated sessions only via a Web Application Firewall (WAF) or server-level rule - note this may break front-end widget functionality that depends on unauthenticated AJAX. Disabling the ElementsKit plugin entirely until patching is feasible eliminates exposure with no partial-fix side effects. Additional reference available at VulDB entry 366386: https://vuldb.com/vuln/366386

Share

EUVD-2026-32545 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy