PatchSiren cyber security CVE debrief
CVE-2026-49053 Wpmet CVE debrief
CVE-2026-49053 is a Missing Authorization vulnerability in the ElementsKit Elementor addons Lite WordPress plugin, affecting versions up to and including 3.9.6. The vulnerability allows exploitation of incorrectly configured access control security levels, potentially enabling unauthorized access to functionality that should be restricted. The issue was published to the CVE List on May 27, 2026, and carries a CVSS 3.1 score of 5.3 (MEDIUM severity). The vulnerability is classified under CWE-862 (Missing Authorization). The NVD entry currently shows a status of 'Deferred,' indicating the record may be awaiting additional analysis or vendor coordination. No known exploitation in ransomware campaigns has been documented, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog.
- Vendor
- Wpmet
- Product
- ElementsKit Elementor addons Lite
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
WordPress site administrators using ElementsKit Elementor addons Lite, security teams managing WordPress deployments, and developers maintaining sites with Elementor-based page builders should prioritize assessment and patching.
Technical summary
The vulnerability stems from missing authorization checks in the ElementsKit Elementor addons Lite plugin, allowing unauthenticated or unauthorized users to access functionality that should require proper authentication and authorization. The CVSS 3.1 score of 5.3 reflects network accessibility, low attack complexity, and low confidentiality impact with no integrity or availability impact. The affected product is a popular Elementor addon plugin for WordPress, potentially exposing site functionality to unauthorized access.
Defensive priority
medium
Recommended defensive actions
- Review and update ElementsKit Elementor addons Lite to a version newer than 3.9.6 if available, or apply vendor-provided patches referenced in security advisories.
- Audit WordPress installations for deployments of ElementsKit Elementor addons Lite at version 3.9.6 or earlier.
- Implement principle of least privilege for WordPress user accounts and restrict access to administrative functions.
- Monitor access logs for unusual patterns of access to ElementsKit functionality that may indicate exploitation attempts.
- Consider implementing Web Application Firewall (WAF) rules to detect and block unauthorized access attempts to affected endpoints pending patch deployment.
Evidence notes
The vulnerability description and affected version range (through 3.9.6) are sourced directly from the CVE record. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) confirms network attack vector with low attack complexity, no privileges required, and low confidentiality impact. The CWE-862 classification is provided by the original reporter.
Official resources
-
CVE-2026-49053 CVE record
CVE.org
-
CVE-2026-49053 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
The CVE record was published on May 27, 2026, with a subsequent modification on the same day. The source of vulnerability discovery is Patchstack, as indicated by the reference attribution.