PT-2026-53810 · WordPress · Premium Addons For Kingcomposer
Eason
·
Published
2026-06-30
·
Updated
2026-06-30
·
CVE-2026-12349
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Premium Addons for KingComposer versions prior to 1.1.2
Description
Missing authorization and capability checks in the
add custom sidebar() and remove custom sidebar() AJAX handlers allow unauthenticated attackers to modify or delete data. These handlers are exposed through wp ajax nopriv * hooks and write directly to the octagon custom sidebar option using the update option() function. This flaw enables the creation of arbitrary custom widget areas or the deletion of existing custom sidebars, which may cause widgets assigned to those areas to stop rendering.Recommendations
Update Premium Addons for KingComposer to version 1.1.2 or later.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Premium Addons For Kingcomposer