{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1206", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-19T16:01:46.785Z", "datePublished": "2026-03-26T05:29:33.177Z", "dateUpdated": "2026-04-08T17:12:59.673Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:59.673Z"}, "affected": [{"vendor": "elemntor", "product": "Elementor Website Builder \u2013 more than just a page builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.35.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Elementor Website Builder plugin for WordPress is vulnerable to Incorrect Authorization to Sensitive Information Exposure in all versions up to, and including, 3.35.7. This is due to a logic error in the is_allowed_to_read_template() function permission check that treats non-published templates as readable without verifying edit capabilities. This makes it possible for authenticated attackers, with contributor-level access and above, to read private or draft Elementor template content via the 'template_id' supplied to the 'get_template_data' action of the 'elementor_ajax' endpoint."}], "title": "Elementor Website Builder <= 3.35.7 - Incorrect Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Elementor Template", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4420935-4952-4460-afc2-1c6df6965b3d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3489160/elementor/trunk/includes/template-library/sources/local.php?old=3473768&old_path=elementor%2Ftrunk%2Fincludes%2Ftemplate-library%2Fsources%2Flocal.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Angus Girvan"}], "timeline": [{"time": "2026-01-19T16:18:39.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-25T17:26:49.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1206", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T17:35:55.831733Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:51:15.618Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1206", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T17:35:55.831733Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:48:03.395Z"}}], "cna": {"title": "Elementor Website Builder <= 3.35.7 - Incorrect Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Elementor Template", "credits": [{"lang": "en", "type": "finder", "value": "Angus Girvan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "elemntor", "product": "Elementor Website Builder \u2013 more than just a page builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.35.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-19T16:18:39.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-25T17:26:49.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4420935-4952-4460-afc2-1c6df6965b3d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3489160/elementor/trunk/includes/template-library/sources/local.php?old=3473768&old_path=elementor%2Ftrunk%2Fincludes%2Ftemplate-library%2Fsources%2Flocal.php"}], "descriptions": [{"lang": "en", "value": "The Elementor Website Builder plugin for WordPress is vulnerable to Incorrect Authorization to Sensitive Information Exposure in all versions up to, and including, 3.35.7. This is due to a logic error in the is_allowed_to_read_template() function permission check that treats non-published templates as readable without verifying edit capabilities. This makes it possible for authenticated attackers, with contributor-level access and above, to read private or draft Elementor template content via the 'template_id' supplied to the 'get_template_data' action of the 'elementor_ajax' endpoint."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:59.673Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1206", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:12:59.673Z", "dateReserved": "2026-01-19T16:01:46.785Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-26T05:29:33.177Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Elementor Website Builder plugin for WordPress is vulnerable to Incorrect Authorization to Sensitive Information Exposure in all versions up to, and including, 3.35.7. This is due to a logic error in the is_allowed_to_read_template() function permission check that treats non-published templates as readable without verifying edit capabilities. This makes it possible for authenticated attackers, with contributor-level access and above, to read private or draft Elementor template content via the 'template_id' supplied to the 'get_template_data' action of the 'elementor_ajax' endpoint."}, {"lang": "es", "value": "El plugin Elementor Website Builder para WordPress es vulnerable a una Autorizaci\u00f3n Incorrecta que conduce a la Exposici\u00f3n de Informaci\u00f3n Sensible en todas las versiones hasta la 3.35.7, inclusive. Esto se debe a un error de l\u00f3gica en la verificaci\u00f3n de permisos de la funci\u00f3n is_allowed_to_read_template() que trata las plantillas no publicadas como legibles sin verificar las capacidades de edici\u00f3n. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, lean contenido de plantillas privadas o en borrador de Elementor a trav\u00e9s del 'template_id' proporcionado a la acci\u00f3n 'get_template_data' del endpoint 'elementor_ajax'."}], "id": "CVE-2026-1206", "lastModified": "2026-04-24T16:35:20.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-26T06:16:09.267", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3489160/elementor/trunk/includes/template-library/sources/local.php?old=3473768&old_path=elementor%2Ftrunk%2Fincludes%2Ftemplate-library%2Fsources%2Flocal.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4420935-4952-4460-afc2-1c6df6965b3d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.35.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Elementor Website Builder \u2013 More Than Just a Page Builder", "source": "cna", "vendor": "elemntor"}, "product": "elementor_website_builder_\u2013_more_than_just_a_page_builder", "vendor": "elemntor"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T07:51:25.736402+00:00", "value": {"mitigation_remediation": ["Update Elementor Website Builder to the most recent stable release available.", "Verify that the plugin version is above 3.35.7 before applying the update.", "Consider temporarily restricting Contributor roles or removing edit permissions on critical content while an update is applied."], "summary": {"action": "Apply Patch", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "WordPress installations running Elementor Website Builder version 3.35.7 or earlier are vulnerable. The flaw is present in all releases up to and including 3.35.7 and is not identified in later releases by the vendor. Site administrators should verify that the plugin is not at a vulnerable version.", "description_and_impact": "The Elementor plugin in WordPress suffers from a permission check flaw that permits unauthorised reading of unpublished templates. The logic error in the is_allowed_to_read_template() function fails to verify that a user has edit rights before allowing visibility of draft or private templates. As a result, an attacker who is logged in with Contributor level or higher can retrieve the full contents of a template by supplying its template_id to the get_template_data action on the elementor_ajax endpoint. This yields confidential design information that should only be visible to template owners or administrators.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity. No EPSS data is available, and the vulnerability is not listed in CISA\u2019s KEV catalog, implying that large\u2011scale exploitation has not been observed. Attackers require only authenticated access with Contributor or higher rights, meaning anyone who can log into the site can try to leverage the flaw by submitting a template_id to the elementor_ajax endpoint. The impact is limited to the disclosure of template data and does not involve remote code execution or website takeover, but the availability of design assets may aid further attacks or intellectual property theft."}}}}, "created": "2026-03-26T11:30:28.969947+00:00", "updated": "2026-03-26T12:08:29.697957+00:00", "vendors": ["elemntor", "elemntor$PRODUCT$elementor_website_builder_\u2013_more_than_just_a_page_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}