CVE-2026-4362

Name of the Vulnerable Software and Affected Versions ElementsKit Elementor Addons versions prior to 3.8.3

Description The plugin is susceptible to unauthorized data modification because the Live Action::reset() function lacks a capability check. This function is linked to the WordPress init action and is triggered when the post and action=elementor GET parameters are provided without authentication or nonce verification. Consequently, unauthenticated attackers can overwrite the elementor data content of any elementskit widget custom post type by accessing a specifically crafted URL, resulting in the permanent replacement of custom designs, text, and configurations with a blank template.

Recommendations Update to a version later than 3.8.2. As a temporary workaround, restrict access to the Live Action::reset() function to minimize the risk of exploitation.