Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-accessible, low complexity, contributor authentication required (PR:L); confidentiality-only impact with no integrity or availability effect confirmed.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Contributor Sensitive Data Exposure in Elementor Website Builder <= 4.1.3 versions.
AnalysisAI
Sensitive data exposure in Elementor Website Builder for WordPress (versions <= 4.1.3) allows contributor-level authenticated users to access protected information due to missing authorization checks (CWE-862). The vulnerability stems from insufficient capability verification before exposing sensitive data to lower-privileged roles, enabling a contributor to retrieve data they should not have access to. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated WordPress session with at minimum contributor role privileges (PR:L in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) accurately reflects the core risk profile: network-exploitable with no interaction required, but gated behind a low-privilege account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a contributor-level account on a target WordPress site running Elementor <= 4.1.3. They then send a crafted authenticated request - likely to an Elementor AJAX handler or REST endpoint - that the plugin services without verifying the caller's capabilities, returning sensitive data such as configuration details, private post content, or user information. … |
| Remediation | Update Elementor Website Builder to a version beyond 4.1.3 immediately; the affected version ceiling of 4.1.3 implies a patched release follows, though an explicit patched version number was not independently confirmed in the available data - verify the latest release via the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/elementor/vulnerability/wordpress-elementor-website-builder-plugin-4-1-3-sensitive-data-exposure-vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Elementor Website Builder
View allA DOM-based Cross-Site Scripting (XSS) vulnerability exists in Elementor Website Builder through version 3.35.5, allowin
Missing Authorization vulnerability in Elementor Elementor Website Builder elementor allows Exploiting Incorrectly Confi
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39361
GHSA-xmcv-qgcf-rfp5