Unauthorized Data Modification in Premium Addons for KingComposer Plugin by WordPress
CVE-2026-12349

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Premium Addons For Kingcomposer
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-12349?

The Premium Addons for KingComposer plugin for WordPress is vulnerable due to insufficient authorization and capability checks in its AJAX handlers, specifically add_custom_sidebar() and remove_custom_sidebar(). This oversight allows unauthenticated attackers to manipulate the octagon_custom_sidebar option directly, leading to the potential creation of arbitrary custom widget areas or the deletion of existing custom sidebars. As a result, widgets linked to these areas may become unregistered and stop rendering, causing disruption in website functionality.

Affected Version(s)

Premium Addons for KingComposer 0 <= 1.1.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/premium-addons...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 15, 2026

Credit

Eason

CVE-2026-12349 Data

JSON