CVE-2026-49052

Vulnerability

ElementsKit Elementor addons Lite, a WordPress plugin developed by Wpmet, contains a missing authorization vulnerability affecting versions from n/a through 3.9.6. The issue arises from an incorrectly configured access control security level, meaning certain functions or endpoints lack proper authorization checks, allowing them to be called without the required permissions. This is classified as a broken access control vulnerability [1].

Exploitation

The exploitation does not require authentication; an attacker can trigger the vulnerable functionality without being logged in. By sending crafted HTTP requests to the unprotected endpoints or functions, an attacker can execute actions that are normally restricted to higher privileged users. This type of vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites simultaneously [1].

Impact

Successful exploitation allows an attacker to perform unintended actions with elevated privileges, potentially leading to data disclosure, modification, or deletion. The specific impact depends on the exact nature of the misconfigured access control, but typically includes unauthorized access to administrative features or sensitive information. The CVSS score is 4.3, indicating a medium severity [1].

Mitigation

The vendor has released a fix; updating to version 3.9.7 or later of the ElementsKit Elementor addons Lite plugin eliminates the vulnerability. Users who cannot update immediately should consult their hosting provider or web developer for assistance. As of the publication date (2026-05-27), no workaround other than updating is documented [1]. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of writing.