CVE-2026-11600 MEDIUM

CVE-2026-11600: Envo's Templates & Widgets for Elementor and WooCommerce <= 1.4.26 - Missing Authorization to Authenticated (Author+) Private Content Disclosure via Envo Tabs Widget 'templates' Setting

Vendor Envothemes
Product Envo's Templates & Widgets for Elementor and WooCommerce
Weakness CWE-862 · Missing authorization
Published July 2, 2026
Last update July 2, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Envo's Templates & Widgets for Elementor and WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the Envo Tabs (and Off Canvas) widget's template rendering in versions up to, and including, 1.4.26. The render() method of the Tabs widget passes a user-controlled template/post ID directly to Elementor's get_builder_content_for_display() without verifying the referenced post's status (published/private/draft) or the visitor's authorization to view it. This makes it possible for authenticated attackers, with Author-level access and above, to disclose the contents of private Elementor-driven pages and templates to anonymous visitors by configuring an Envo Tabs widget on a public post to reference the private content's ID (which can be supplied by editing the underlying Elementor widget JSON via the Elementor editor REST API).

Explanation of Vulnerability in Simple Terms

02Summary

Envo's Templates & Widgets for Elementor and WooCommerce versions up to 1.4.26 lack proper authorization checks on certain functions. A logged-in user with low privileges can read sensitive information they should not have access to. The vulnerability requires an active user account but no special interaction from the victim.

What an attacker can do

03Attacker Capabilities

Read sensitive information restricted to higher-privilege users.

Potential impact on your site

04Site Impact

Logged-in users can access confidential data not intended for their role.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site.

Key dates

06Disclosure timeline

July 2, 2026 CVE published
July 2, 2026 Record updated

Related vulnerabilities

08Related CVE