We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

ElementsKit Elementor Addons Plugin Vulnerability (CVE-2026-4362)

Nick Paliughi
On this page

Security Alert Summary

The ElementsKit Elementor Addons plugin for WordPress contains a vulnerability that allows unauthenticated attackers to modify widget data. A missing capability check in a function hooked to the WordPress init action can be triggered via specific GET parameters, permitting overwriting of Elementor content for the plugin’s custom widget post type.

CVE Details

  • CVE ID: CVE-2026-4362
  • Affected component: ElementsKit Elementor Addons plugin for WordPress
  • Affected versions: All versions up to, and including, 3.8.2
  • Published: May 5, 2026 05:16 AM UTC
  • Last modified: May 5, 2026 05:16 AM UTC
  • CVSS v3.1: Base Score 6.5 (MEDIUM) — Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
  • Authentication/Privileges/User Interaction: Authentication: none; Privileges Required: none; User Interaction: none (per CVSS)
  • Primary impact: Confidentiality: None; Integrity: Low (unauthenticated modification of widget data); Availability: Low
  • Weakness: CWE-862 (missing authorization)

Technical Details

The vulnerability is a missing capability check in the Live_Action::reset() function. That function is attached to the WordPress init action and executes when both the post and action=elementor GET parameters are present. There is no authentication or nonce verification in this code path.

As a result, an unauthenticated attacker who can craft a URL containing those GET parameters can trigger the function to overwrite the Elementor content stored in the _elementor_data post meta for any post of the elementskit_widget custom post type. According to the report, the widget’s custom designs, text, and configurations are replaced with a blank template.

This is an authorization bypass that allows modification (integrity impact) and may also cause functional disruption of affected widgets (availability impact). The issue exists because the code fails to verify the requestor’s permissions or a valid nonce before performing the data reset.

How This Could Impact Your Website

In a realistic scenario, a site owner, internal staff member, and an external contractor could be using Elementor and ElementsKit to manage widgets and designs. An unauthenticated attacker could craft a URL that, when requested, resets the content of an elementskit_widget post. That could remove custom designs or text that staff rely on, potentially breaking page layouts or removing important information.

Because the vulnerability allows modification of widget data, attackers could also replace content with misleading or malicious text or links, increasing the risk of targeted phishing or social engineering against site visitors or staff. The issue does not indicate direct disclosure of confidential data, but it does allow alteration of site content and could disrupt normal operations.

If you\’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles and capabilities, especially for contributors and editors.
  • Enforce strong passwords and enable two-factor authentication for editor and administrator accounts.
  • Remove unused or unmaintained plugins and audit active plugin code for unexpected hooks on init or similar global actions.
  • Monitor site activity and change logs for unusual behavior, including unexpected changes to widget content or post meta like _elementor_data.

If you\’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
GeekyBot – Generate AI Content Without Prompt, Chatbot and Lead Generation Plugin Vulnerability (CVE-2026-3456)
Next Post
Form Maker by 10Web Plugin Vulnerability (CVE-2026-3359)