CVE-2026-4362 MEDIUM

CVE-2026-4362: ElementsKit Elementor Addons <= 3.8.2 - Missing Authorization to Unauthenticated Widget Content Overwrite

Vendor Roxnor

Product ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor

Weakness CWE-862 · Missing authorization

Published May 5, 2026

Last update May 5, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

Description

The ElementsKit Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `Live_Action::reset()` function in all versions up to, and including, 3.8.2 The function is hooked to the WordPress `init` action and triggers when both `post` and `action=elementor` GET parameters are present, with no authentication or nonce verification. This makes it possible for unauthenticated attackers to overwrite the Elementor content (`_elementor_data`) of any `elementskit_widget` custom post type by visiting a specially crafted URL. The widget's custom designs, text, and configurations are permanently replaced with a blank template.

Key dates

Disclosure timeline

May 5, 2026 CVE published

May 5, 2026 Record updated

Identifiers

CVE CVE-2026-4362

CWE CWE-862

CVSS 6.5 / MEDIUM

Affected versions

Vendor Roxnor

Product ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor

Affected ≤ 3.8.2