WordPress Security Bulletin: Elementor Website Builder Plugin Vulnerability (CVE-2026-1206)

Security Alert Summary

The Elementor Website Builder plugin for WordPress contains an authorization logic error that can allow authenticated users with contributor-level access and above to read private or draft Elementor template content. The issue is triggered via the get_template_data action of the elementor_ajax endpoint when a template_id is supplied.

CVE Details

• CVE ID: CVE-2026-1206
• Affected plugin / component: Elementor Website Builder plugin for WordPress
• Affected versions: All versions up to, and including, 3.35.7
• Published: March 26, 2026 at 06:16:09 AM
• Last modified: March 26, 2026 at 06:16:09 AM
• CVSS v3.1: Base Score 4.3 – MEDIUM
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW (authenticated user)
  • User Interaction: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE
• Authentication / Access: Requires an authenticated user with low privileges. The advisory notes contributor-level access and above can exploit the issue.
• CWE: CWE-639

Technical Details

The vulnerability is an incorrect authorization check in the is_allowed_to_read_template() function. A logic error in that permission check treats non-published templates as readable without verifying whether the requesting user has edit capabilities. As a result, an authenticated user can supply a template_id to the get_template_data action of the elementor_ajax endpoint and receive the contents of private or draft Elementor templates.

The issue exists because the permission path fails to require the appropriate edit capability for non-published templates. The impact is limited to disclosure of template content and does not indicate integrity or availability effects in the provided data.

How This Could Impact Your Website

Consider a typical small business WordPress site with a site owner, internal staff (editors or content contributors), and external contractors or contributors. If a contributor-level account is able to read private or draft templates, sensitive design or marketing content that was intended to remain internal could be exposed to other authenticated users. This could reveal upcoming campaigns, internal notes in template content, or layout information that attackers could use for targeted phishing or social engineering against staff.

The practical consequence is primarily information disclosure. It increases the risk of targeted social engineering and reduces the confidentiality of unpublished site assets, while not implying code execution or full site compromise based on the provided data.

professional review: If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles, especially contributor and similar low-privilege accounts.
• Enforce strong passwords and two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins from your site.
• Monitor site activity and logs for unusual access patterns to AJAX endpoints or template requests.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://plugins.trac.wordpress.org/changeset/3489160/elementor/trunk/includes/template-library/sources/local.php?old=3473768&old_path=elementor%2Ftrunk%2Fincludes%2Ftemplate-library%2Fsources%2Flocal.php
• https://www.wordfence.com/threat-intel/vulnerabilities/id/a4420935-4952-4460-afc2-1c6df6965b3d?source=cve