CVE-2026-1206

Name of the Vulnerable Software and Affected Versions Elementor Website Builder versions prior to 3.35.8

Description The Elementor Website Builder plugin for WordPress is susceptible to a flaw that allows unauthorized access to sensitive information. This is caused by a permission check error in the is allowed to read template() function, which incorrectly allows reading of non-published templates without proper edit capability verification. Authenticated attackers with contributor-level access or higher can read private or draft Elementor template content by manipulating the template id parameter within the get template data action of the elementor ajax endpoint.

Recommendations Update Elementor Website Builder to version 3.35.8 or later.