{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3132", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-24T16:55:08.584Z", "datePublished": "2026-03-02T17:23:35.677Z", "dateUpdated": "2026-04-08T17:01:35.594Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:01:35.594Z"}, "affected": [{"vendor": "Jewel Theme", "product": "Master Addons for Elementor Premium", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Master Addons for Elementor Premium plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.3 via the 'JLTMA_Widget_Admin::render_preview'. This is due to missing capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute code on the server."}], "title": "Master Addons for Elementor Premium <= 2.1.3 - Authenticated (Subscriber+) Remote Code Execution via render_preview", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/76c31190-9db9-4d14-83e0-cbfca812e8ea?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/master-addons/tags/2.1.3/inc/admin/widget-builder/class-jltma-widget-admin.php#L1127"}, {"url": "https://plugins.trac.wordpress.org/changeset/3471598/master-addons/trunk/inc/admin/widget-builder/class-jltma-widget-admin.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ren Voza"}], "timeline": [{"time": "2026-02-24T16:58:31.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-02T04:48:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T19:31:37.951778Z", "id": "CVE-2026-3132", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T19:38:55.495Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3132", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-02T19:31:37.951778Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T19:35:37.063Z"}}], "cna": {"title": "Master Addons for Elementor Premium <= 2.1.3 - Authenticated (Subscriber+) Remote Code Execution via render_preview", "credits": [{"lang": "en", "type": "finder", "value": "Ren Voza"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "Jewel Theme", "product": "Master Addons for Elementor Premium", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.1.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-24T16:58:31.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-02T04:48:53.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/76c31190-9db9-4d14-83e0-cbfca812e8ea?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/master-addons/tags/2.1.3/inc/admin/widget-builder/class-jltma-widget-admin.php#L1127"}, {"url": "https://plugins.trac.wordpress.org/changeset/3471598/master-addons/trunk/inc/admin/widget-builder/class-jltma-widget-admin.php"}], "descriptions": [{"lang": "en", "value": "The Master Addons for Elementor Premium plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.3 via the 'JLTMA_Widget_Admin::render_preview'. This is due to missing capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute code on the server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-02T17:23:35.677Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3132", "state": "PUBLISHED", "dateUpdated": "2026-03-02T19:38:55.495Z", "dateReserved": "2026-02-24T16:55:08.584Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-02T17:23:35.677Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Master Addons for Elementor Premium plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.3 via the 'JLTMA_Widget_Admin::render_preview'. This is due to missing capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute code on the server."}, {"lang": "es", "value": "El plugin Master Addons for Elementor Premium para WordPress es vulnerable a la ejecuci\u00f3n remota de c\u00f3digo en todas las versiones hasta la 2.1.3, inclusive, a trav\u00e9s de 'JLTMA_Widget_Admin::render_preview'. Esto se debe a la falta de una comprobaci\u00f3n de capacidad. Esto permite que atacantes autenticados, con acceso de nivel Suscriptor y superior, ejecuten c\u00f3digo en el servidor."}], "id": "CVE-2026-3132", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-02T18:16:27.947", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/master-addons/tags/2.1.3/inc/admin/widget-builder/class-jltma-widget-admin.php#L1127"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3471598/master-addons/trunk/inc/admin/widget-builder/class-jltma-widget-admin.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/76c31190-9db9-4d14-83e0-cbfca812e8ea?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.3]"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "Master Addons for Elementor Premium", "source": "cna", "vendor": "Jewel Theme"}, "product": "master_addons_for_elementor", "vendor": "jeweltheme"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T18:00:48.081033+00:00", "value": {"mitigation_remediation": ["Upgrade Master Addons for Elementor Premium to the latest version where the issue is fixed.", "If an upgrade cannot be performed immediately, restrict the widget preview capability to administrators only or disable the plugin for all users except administrators.", "Consider temporarily removing the plugin from public-facing sites or restricting access to the WordPress admin area until the update is applied.", "Regularly check the vendor\u2019s website or trusted security advisories for any new patches or additional mitigation guidance."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The problem affects Jewel Theme\u2019s Master Addons for Elementor Premium plugin in all released versions up to and including 2.1.3. The plugin operates within the WordPress CMS, and any site that has installed or upgraded to this version range is potentially vulnerable unless the preview feature is disabled for non-administrators.", "description_and_impact": "The vulnerability arises from a missing capability check in the render_preview function of the Master Addons for Elementor Premium plugin. An attacker who authenticates to the WordPress site with at least Subscriber-level access can trigger this function and inject arbitrary code, leading to full compromise of the web server. This flaw is classified as CWE-94, which denotes code injection weaknesses.", "risk_and_exploitability": "With a CVSS score of 8.8, the flaw is considered high severity. However, the EPSS score is less than 1%, indicating that immediate exploitation is unlikely. The vulnerability is not listed in the CISA KEV catalog, so no publicly known exploits have been confirmed. The attack requires authentication, so it is limited to roles that can access the WordPress Admin dashboard; once authenticated, the attacker can execute arbitrary code via the preview renderer."}}}}, "created": "2026-03-03T08:42:33.405844+00:00", "updated": "2026-04-15T18:15:10.808191+00:00", "vendors": ["jeweltheme", "jeweltheme$PRODUCT$master_addons_for_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}