cleantalk
Vulnerabilities and Security Researches

ElementsKit Elementor addons, CVE-2026-4362

CVE, Research URL

CVE-2026-4362

Home page URL

Security reports for ElementsKit Elementor addons

Application

ElementsKit Elementor addons

Published on
May 05, 2026
Research Description
The ElementsKit Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `Live_Action::reset()` function in all versions up to, and including, 3.8.2 The function is hooked to the WordPress `init` action and triggers when both `post` and `action=elementor` GET parameters are present, with no authentication or nonce verification. This makes it possible for unauthenticated attackers to overwrite the Elementor content (`_elementor_data`) of any `elementskit_widget` custom post type by visiting a specially crafted URL. The widget's custom designs, text, and configurations are permanently replaced with a blank template.
Affected versions
max 3.9.0.
Status
vulnerable
Previous vulnerability researches
GSheetConnector for Forminator Forms (CVE-2025-22752) , Jan 17, 2025
Forminator – Contact Form, Payment Form & Custom Form Builder (CVE-2026-2002) , Apr 14, 2026
Forminator – Contact Form, Payment Form & Custom Form Builder (CVE-2024-7052) , May 16, 2025
Forminator – Contact Form, Payment Form & Custom Form Builder (CVE-2024-45625) , Sep 10, 2024
Forminator – Contact Form, Payment Form & Custom Form Builder (CVE-2025-7638) , Jul 19, 2025
New vulnerability
Advanced Form Integration – Connect WooCommerce and Contact Form 7 to Google Sheets and other platforms (CVE-2026-42659) , May 06, 2026
GenerateBlocks (CVE-2026-3454) , May 05, 2026
User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin (CVE-2026-3601) , May 05, 2026
Event Tickets and Registration (CVE-2026-42662) , May 05, 2026
Forminator – Contact Form, Payment Form & Custom Form Builder (CVE-2026-2729) , May 05, 2026