{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24386", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:48.125Z", "datePublished": "2026-01-22T16:52:47.316Z", "dateUpdated": "2026-04-28T16:14:48.526Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "elementinvader", "product": "Element Invader \u2013 Template Kits for Elementor", "vendor": "Element Invader", "versions": [{"changes": [{"at": "1.2.5", "status": "unaffected"}], "lessThanOrEqual": "1.2.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:01.594Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Element Invader Element Invader \u2013 Template Kits for Elementor elementinvader allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Element Invader \u2013 Template Kits for Elementor: from n/a through <= 1.2.4.</p>"}], "value": "Missing Authorization vulnerability in Element Invader Element Invader \u2013 Template Kits for Elementor elementinvader allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Element Invader \u2013 Template Kits for Elementor: from n/a through <= 1.2.4."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:48.526Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/elementinvader/vulnerability/wordpress-element-invader-template-kits-for-elementor-plugin-1-2-4-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Element Invader \u2013 Template Kits for Elementor plugin <= 1.2.4 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-22T18:48:32.216914Z", "id": "CVE-2026-24386", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:06:50.926Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24386", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:48.125Z", "datePublished": "2026-01-22T16:52:47.316Z", "dateUpdated": "2026-04-28T14:06:50.926Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "elementinvader", "product": "Element Invader &#8211; Template Kits for Elementor", "vendor": "Element Invader", "versions": [{"changes": [{"at": "1.2.5", "status": "unaffected"}], "lessThanOrEqual": "1.2.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:01.594Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Element Invader Element Invader &#8211; Template Kits for Elementor elementinvader allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Element Invader &#8211; Template Kits for Elementor: from n/a through <= 1.2.4.</p>"}], "value": "Missing Authorization vulnerability in Element Invader Element Invader &#8211; Template Kits for Elementor elementinvader allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Element Invader &#8211; Template Kits for Elementor: from n/a through <= 1.2.4."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:05.584Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/elementinvader/vulnerability/wordpress-element-invader-template-kits-for-elementor-plugin-1-2-4-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Element Invader \u2013 Template Kits for Elementor plugin <= 1.2.4 - Broken Access Control vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24386", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-22T18:48:32.216914Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T18:48:50.964Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Element Invader Element Invader \u2013 Template Kits for Elementor elementinvader allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Element Invader \u2013 Template Kits for Elementor: from n/a through <= 1.2.4."}, {"lang": "es", "value": "Vulnerabilidad por falta de autorizaci\u00f3n en Element Invader Element Invader \u2013 Template Kits para Elementor elementinvader permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Element Invader \u2013 Template Kits para Elementor: desde n/a hasta &lt;= 1.2.4."}], "id": "CVE-2026-24386", "lastModified": "2026-04-28T19:36:47.783", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:41.627", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/elementinvader/vulnerability/wordpress-element-invader-template-kits-for-elementor-plugin-1-2-4-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-29T00:57:28.113080+00:00", "value": {"mitigation_remediation": ["Upgrade Element Invader \u2013 Template Kits for Elementor to version 1.2.5 or later. ", "Restrict the ability to create or modify template kits to administrators only by reviewing WordPress role capabilities. ", "If an upgrade is not immediately feasible, disable the plugin\u2019s template kit upload feature or block access to its endpoints through a web\u2011application firewall."], "summary": {"action": "Upgrade Plugin", "impact": "Unauthorized Access via Broken Authorization"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of Element Invader \u2013 Template Kits for Elementor from earliest release up to and including version 1.2.4. Hosts running WordPress with this plugin should verify their installed version and patch if needed.", "description_and_impact": "Element Invader \u2013 Template Kits for Elementor contains a missing authorization check that permits incorrectly configured access control, allowing unintended users to create or modify template kits without proper role verification. This results in unauthorized content changes and falls under the CWE-862 category of Authorization Bypass.", "risk_and_exploitability": "The CVSS score is 4.3, indicating moderate severity. The EPSS value is below 1%, showing a low likelihood of exploitation in the wild, and the issue is not listed in the CISA KEV catalog. Likely attack vectors involve authenticated or partially privileged users who can access the plugin\u2019s administration UI; the lack of a clear client\u2011side exploitation path makes remote exploitation less likely, but an attacker who can get in via other means could abuse the plugin to inject or alter templates."}}}}, "created": "2026-01-23T16:28:41.564486+00:00", "updated": "2026-04-29T01:00:11.411285+00:00", "vendors": ["elementinvader", "elementinvader$PRODUCT$template_kits_for_elementor", "elementor", "elementor$PRODUCT$elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}