Unauthorized Data Modification in ElementsKit Elementor Addons Plugin for WordPress
CVE-2026-4362

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Elementskit Elementor Addons – Advanced Widgets & Templates Addons For Elementor
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-4362?

The ElementsKit Elementor Addons plugin for WordPress is susceptible to unauthorized data modification due to a lack of proper capability checks. This vulnerability affects all versions up to and including 3.8.2. An attacker can exploit this by sending a specially crafted request to the Live_Action::reset() function, which is triggered by the presence of the post and action=elementor GET parameters. Without the necessary authentication or nonce verification, attackers can overwrite the _elementor_data of any elementskit_widget custom post type, effectively replacing custom designs, text, and configurations with a blank template, leading to potential data loss and site disruption.

Affected Version(s)

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor 0 <= 3.8.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/elementskit-li...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Mar 17, 2026

Credit

Jack Pas

CVE-2026-4362 Data

JSON