PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49052 Wpmet CVE debrief

A Missing Authorization vulnerability in the ElementsKit Elementor addons Lite WordPress plugin allows authenticated users with low privileges to exploit incorrectly configured access control security levels. The vulnerability affects versions up to and including 3.9.6. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) indicates network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, with low impact to integrity and no impact to confidentiality or availability. The NVD entry status is currently Deferred, suggesting the record may be under review or awaiting additional analysis.

Vendor
Wpmet
Product
ElementsKit Elementor addons Lite
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

WordPress site administrators using ElementsKit Elementor addons Lite plugin; security teams managing WordPress plugin inventories; developers maintaining sites with Elementor page builder integrations

Technical summary

The ElementsKit Elementor addons Lite plugin for WordPress contains a Missing Authorization vulnerability (CWE-862) in versions through 3.9.6. The flaw permits authenticated attackers with low privileges to perform actions beyond their intended authorization level due to incorrectly configured access control security levels. The vulnerability requires network access and low-privileged credentials but no user interaction. Integrity impact is rated low with no confidentiality or availability impact.

Defensive priority

medium

Recommended defensive actions

  • Update ElementsKit Elementor addons Lite to a version newer than 3.9.6 when available
  • Review WordPress user role permissions and apply principle of least privilege
  • Monitor plugin vendor (Wpmet) security advisories for patch release
  • Consider implementing additional access controls at the web application firewall level for WordPress administrative functions
  • Audit plugin installations for unauthorized or unexpected version deployments

Evidence notes

Vulnerability identified by Patchstack and reported to CVE with CWE-862 (Missing Authorization) classification. Affected product confirmed as ElementsKit Elementor addons Lite WordPress plugin.

Official resources

2026-05-27