Skip to main content

Premium Addons For Kingcomposer

1 CVEs product

Monthly

CVE-2026-12349 MEDIUM This Month

Unauthenticated sidebar manipulation in the Premium Addons for KingComposer WordPress plugin (versions up to and including 1.1.1) allows any remote attacker to create arbitrary custom widget areas or permanently delete existing ones without any credentials. The root cause is that the AJAX handlers add_custom_sidebar() and remove_custom_sidebar() are registered under wp_ajax_nopriv_* hooks with no authorization or capability checks, granting public HTTP access to options-table writes via update_option(). Deletion of sidebars silently breaks widget rendering site-wide, and no public exploit has been identified at time of analysis; no CISA KEV listing is present.

Authentication Bypass WordPress Premium Addons For Kingcomposer
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated sidebar manipulation in the Premium Addons for KingComposer WordPress plugin (versions up to and including 1.1.1) allows any remote attacker to create arbitrary custom widget areas or permanently delete existing ones without any credentials. The root cause is that the AJAX handlers add_custom_sidebar() and remove_custom_sidebar() are registered under wp_ajax_nopriv_* hooks with no authorization or capability checks, granting public HTTP access to options-table writes via update_option(). Deletion of sidebars silently breaks widget rendering site-wide, and no public exploit has been identified at time of analysis; no CISA KEV listing is present.

Authentication Bypass WordPress Premium Addons For Kingcomposer
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy