ElementsKit Elementor Addons Missing Authorization Vulnerability Allowing Unauthenticated Widget Content Overwrite

A vulnerability exists in the ElementsKit Elementor Addons plugin for WordPress, specifically in versions through 3.8.2. The issue arises from a missing capability check in the 'Live_Action::reset()' function, which is triggered by the WordPress 'init' action. This function lacks authentication and nonce verification, allowing unauthenticated attackers to overwrite the Elementor content of any 'elementskit_widget' custom post type. The exploitation involves sending a request with specific 'post' and 'action=elementor' GET parameters, resulting in the permanent replacement of the widget's custom designs and configurations with a blank template.

Impact

Exploitation of this vulnerability allows for unauthorized overwriting of Elementor content, specifically the '_elementor_data' meta field, on 'elementskit_widget' custom post types. This action permanently erases the widget's custom designs, text, and configurations, replacing them with a default blank template.

Reproduction

To reproduce this vulnerability, send a GET request to a WordPress site with the ElementsKit Elementor Addons plugin installed, version 3.8.2 or earlier. Include the 'post' parameter with the ID of an 'elementskit_widget' custom post type, and set the 'action' parameter to 'elementor'. The request should not include any authentication or nonce, as these are not verified. Once the request is processed, the '_elementor_data' for the specified widget will be overwritten with a blank template, erasing any custom content or designs.

Remediation

Users are advised to update the ElementsKit Elementor Addons plugin to version 3.9.0 or later, where this vulnerability has been patched.