Premium Addons for KingComposer Plugin Vulnerability (CVE-2026-12349)

On this page

Security Alert Summary

The Premium Addons for KingComposer plugin for WordPress contains an authorization bypass in AJAX handlers that allows unauthenticated requests to add or remove custom sidebars. An attacker able to invoke these handlers can create arbitrary custom widget areas or delete existing custom sidebars, which can cause widgets assigned to those areas to lose their registration and stop rendering.

CVE Details

  • CVE ID: CVE-2026-12349
  • Affected component: Premium Addons for KingComposer plugin for WordPress
  • Affected versions: versions up to and including 1.1.1
  • Published: June 30, 2026 at 6:16:26 AM UTC
  • Last modified: June 30, 2026 at 2:08:13 PM UTC
  • CVSS v3.1: Base score 5.3 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • Authentication / privileges / user interaction: No authentication required (unauthenticated); privileges required: NONE; user interaction: NONE
  • Primary impact: Integrity: LOW; Confidentiality: NONE; Availability: NONE
  • Weakness (CWE): CWE-862

Technical Details

The vulnerability exists because the plugin’s AJAX handlers for managing custom sidebars lack authorization and capability checks. Specifically, the add_custom_sidebar() and remove_custom_sidebar() handlers are exposed through wp_ajax_nopriv_* hooks and perform writes to the octagon_custom_sidebar option via update_option() without verifying the requestor’s identity or permissions. Because these handlers accept unauthenticated requests, an attacker can invoke them remotely to create arbitrary custom widget areas or delete existing sidebars.

The practical effect is that widgets assigned to affected custom sidebars may silently lose their registration and stop rendering on the site. The issue is an integrity problem with widget and sidebar configuration rather than a data disclosure or availability flaw.

How This Could Impact Your Website

Consider a small organization where a site owner, internal content editor, and an external contractor all manage site content. If an unauthenticated attacker uses the vulnerable handlers, the attacker could remove custom sidebars that staff members rely on for navigation, contact forms, or promotional widgets. Those widgets would stop rendering, leading to broken page areas, loss of functionality for visitors, and potential disruption to lead capture or e-commerce flows.

This vulnerability does not indicate disclosure of user credentials or personal data, but it can degrade site functionality and user experience. If you\’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Apply an official plugin update as soon as a patched version is available.
  • Review and reduce unnecessary user roles and capabilities, especially for contributor/editor accounts.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and logs for unusual behavior, particularly changes to widget areas or option updates.

If you\’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References