Skip to main content

KingComposer Plugin EUVDEUVD-2026-40252

| CVE-2026-12349 MEDIUM
Missing Authorization (CWE-862)
2026-06-30 Wordfence GHSA-7m2v-4f6c-h555
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
6.5 MEDIUM

wp_ajax_nopriv_* registration requires PR:N; sidebar deletion causing silent widget rendering failure warrants A:L over the NVD-assigned A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 30, 2026 - 06:17 vuln.today
CVE Published
Jun 30, 2026 - 04:30 cve.org
MEDIUM 5.3

DescriptionCVE.org

The Premium Addons for KingComposer plugin for WordPress is vulnerable to unauthorized modification and loss of data in versions up to, and including, 1.1.1. This is due to missing authorization and capability checks on the add_custom_sidebar() and remove_custom_sidebar() AJAX handlers, both of which are exposed through wp_ajax_nopriv_* hooks and write directly to the octagon_custom_sidebar option via update_option(). This makes it possible for unauthenticated attackers to create arbitrary custom widget areas or delete existing custom sidebars, which can cause widgets assigned to those areas to silently lose their registration and stop rendering.

AnalysisAI

Unauthenticated sidebar manipulation in the Premium Addons for KingComposer WordPress plugin (versions up to and including 1.1.1) allows any remote attacker to create arbitrary custom widget areas or permanently delete existing ones without any credentials. The root cause is that the AJAX handlers add_custom_sidebar() and remove_custom_sidebar() are registered under wp_ajax_nopriv_* hooks with no authorization or capability checks, granting public HTTP access to options-table writes via update_option(). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running plugin ≤1.1.1
Delivery
Send unauthenticated POST to wp-admin/admin-ajax.php
Exploit
Invoke add_custom_sidebar or remove_custom_sidebar action
Execution
Write or delete octagon_custom_sidebar option record
Persist
Widgets lose sidebar registration
Impact
Widget content silently stops rendering on site

Vulnerability AssessmentAI

Exploitation Both vulnerable AJAX actions are registered exclusively under wp_ajax_nopriv_* hooks, meaning WordPress itself performs no authentication check before dispatching the request - no special configuration is required to reach these handlers. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) reflects a low-complexity, network-accessible, unauthenticated attack with narrow integrity impact and no confidentiality consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends an unauthenticated HTTP POST request to https://target-site.example/wp-admin/admin-ajax.php with the body action=remove_custom_sidebar&sidebar_id=<id>, requiring no session token, nonce, or credentials. The request passes directly into remove_custom_sidebar() in class-sidebar.php, which deletes the targeted sidebar from the octagon_custom_sidebar option, causing all widgets registered to that area to silently lose their rendering context. …
Remediation No vendor-released patch with a confirmed fix version has been identified in the available data - patch availability is unknown at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40252 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy