{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24947", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:29.517Z", "datePublished": "2026-02-03T14:08:33.637Z", "dateUpdated": "2026-04-28T16:14:51.242Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "lastudio-element-kit", "product": "LA-Studio Element Kit for Elementor", "vendor": "LA-Studio", "versions": [{"changes": [{"at": "1.5.6.3", "status": "unaffected"}], "lessThanOrEqual": "1.5.6.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "NumeX | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:55.845Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in LA-Studio LA-Studio Element Kit for Elementor lastudio-element-kit allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects LA-Studio Element Kit for Elementor: from n/a through < 1.5.6.3.</p>"}], "value": "Missing Authorization vulnerability in LA-Studio LA-Studio Element Kit for Elementor lastudio-element-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LA-Studio Element Kit for Elementor: from n/a through < 1.5.6.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:51.242Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/lastudio-element-kit/vulnerability/wordpress-la-studio-element-kit-for-elementor-plugin-1-5-6-3-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress LA-Studio Element Kit for Elementor plugin < 1.5.6.3 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T17:12:47.852503Z", "id": "CVE-2026-24947", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:49:41.697Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24947", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:29.517Z", "datePublished": "2026-02-03T14:08:33.637Z", "dateUpdated": "2026-04-28T14:49:41.697Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "lastudio-element-kit", "product": "LA-Studio Element Kit for Elementor", "vendor": "LA-Studio", "versions": [{"changes": [{"at": "1.5.6.3", "status": "unaffected"}], "lessThanOrEqual": "1.5.6.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "NumeX | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:26:29.258Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in LA-Studio LA-Studio Element Kit for Elementor lastudio-element-kit allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects LA-Studio Element Kit for Elementor: from n/a through < 1.5.6.3.</p>"}], "value": "Missing Authorization vulnerability in LA-Studio LA-Studio Element Kit for Elementor lastudio-element-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LA-Studio Element Kit for Elementor: from n/a through < 1.5.6.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:46.636Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/lastudio-element-kit/vulnerability/wordpress-la-studio-element-kit-for-elementor-plugin-1-5-6-3-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress LA-Studio Element Kit for Elementor plugin < 1.5.6.3 - Broken Access Control vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24947", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-03T17:12:47.852503Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T17:11:55.811Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in LA-Studio LA-Studio Element Kit for Elementor lastudio-element-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LA-Studio Element Kit for Elementor: from n/a through < 1.5.6.3."}, {"lang": "es", "value": "Vulnerabilidad por falta de autorizaci\u00f3n en LA-Studio LA-Studio Element Kit para Elementor lastudio-element-kit permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a LA-Studio Element Kit para Elementor: desde n/a hasta &lt; 1.5.6.3."}], "id": "CVE-2026-24947", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-03T15:16:15.880", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/lastudio-element-kit/vulnerability/wordpress-la-studio-element-kit-for-elementor-plugin-1-5-6-3-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T17:30:50.800342+00:00", "value": {"mitigation_remediation": ["Upgrade the LA\u2011Studio Element Kit for Elementor plugin to version 1.5.6.3 or later to apply the vendor\u2011supplied fix.", "Configure WordPress role\u2011based access control so that only administrators or designated high\u2011privilege roles can access the plugin\u2019s administration pages, and verify capability checks on every endpoint exposed by the plugin.", "Deploy a web application firewall that enforces authentication and validates user capabilities on all requests to the plugin\u2019s privileged URLs, logging any unauthorized attempts."], "summary": {"action": "Assess", "impact": "Unauthorized access to plugin data and configuration"}, "threat_synthesis": {"affected_systems": "WordPress installations using the LA\u2011Studio Element Kit for Elementor plugin with versions prior to 1.5.6.3 are affected. The impact applies to all users who can interact with the plugin\u2019s administrative interface in those versions.", "description_and_impact": "The vulnerability is a missing authorization flaw in the LA\u2011Studio Element Kit for Elementor WordPress plugin. Attackers who can reach the plugin\u2019s administration pages may obtain access to restricted settings or data that should be limited to privileged users. The flaw is a classic missing or incorrect access control, identified as CWE\u2011862, and could expose configuration information or modify content without proper permissions.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a low\u2011to\u2011medium severity, and the EPSS score of less than 1% suggests a very low probability of exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through exploitation of improperly configured access control within the plugin\u2019s admin area; it is inferred that an adversary would need access to a user account in the WordPress installation that has sufficient privileges to view or modify the plugin\u2019s settings, unless the plugin itself accepts unauthenticated requests to privileged endpoints."}}}}, "created": "2026-02-04T12:14:10.812775+00:00", "updated": "2026-04-16T17:45:27.365356+00:00", "vendors": ["la-studioweb", "la-studioweb$PRODUCT$element_kit_for_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}