cleantalk
Vulnerabilities and Security Researches

ElementsKit Elementor addons, CVE-2026-4362

CVE, Research URL

CVE-2026-4362

Home page URL

Security reports for ElementsKit Elementor addons

Application

ElementsKit Elementor addons

Published on
May 05, 2026
Research Description
The ElementsKit Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `Live_Action::reset()` function in all versions up to, and including, 3.8.2 The function is hooked to the WordPress `init` action and triggers when both `post` and `action=elementor` GET parameters are present, with no authentication or nonce verification. This makes it possible for unauthenticated attackers to overwrite the Elementor content (`_elementor_data`) of any `elementskit_widget` custom post type by visiting a specially crafted URL. The widget's custom designs, text, and configurations are permanently replaced with a blank template.
Affected versions
max 3.9.0.
Status
vulnerable
Previous vulnerability researches
GNA Search Shortcode (CVE-2025-46540) , Apr 26, 2025
New vulnerability
ElementsKit Elementor addons (CVE-2026-4362) , May 05, 2026
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions (CVE-2026-4100) , May 04, 2026
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup (CVE-2026-7649) , May 04, 2026
FundPress – WordPress Donation Plugin (CVE-2026-4650) , May 04, 2026
Import and export users and customers (CVE-2026-7641) , May 04, 2026