PT-2026-20640 · Elementor+1 · Elementor+1
Abhirup Konwar
·
Published
2026-02-19
·
Updated
2026-02-19
·
CVE-2026-2284
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
The News Element Elementor Blog Magazine plugin for WordPress versions up to and including 1.0.8
Description
The plugin is susceptible to a missing authorization issue due to the absence of a capability check and nonce verification on the
ne clean data AJAX action. This allows authenticated attackers with Subscriber-level access or higher to truncate eight core WordPress database tables (posts, comments, terms, term relationships, term taxonomy, postmeta, commentmeta, termmeta) and delete the entire WordPress uploads directory, potentially leading to complete data loss.Recommendations
Update The News Element Elementor Blog Magazine plugin to a version later than 1.0.8.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Elementor
News Element Elementor Blog Magazine