CVE-2026-2386

{"id": "CVE-2026-2386", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2026-02-18T13:16:21.423", "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3463156/the-plus-addons-for-elementor-page-builder", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4fc3e24a-8b51-4b6f-bacf-665ceb03bc05?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "The The Plus Addons for Elementor \u2013 Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 6.4.7. This is due to the tpae_create_page() AJAX handler authorizing users only with current_user_can('edit_posts') while accepting a user-controlled 'post_type' value passed directly to wp_insert_post() without post-type-specific capability checks. This makes it possible for authenticated attackers, with Author-level access and above, to create arbitrary draft posts for restricted post types (e.g., 'page' and 'nxt_builder') via the 'post_type' parameter."}, {"lang": "es", "value": "El plugin The Plus Addons para Elementor \u2013 Addons para Elementor, Page Templates, Widgets, Mega Menu, WooCommerce para WordPress es vulnerable a una autorizaci\u00f3n incorrecta en todas las versiones hasta la 6.4.7, ambas inclusive. Esto se debe a que el manejador AJAX tpae_create_page() autoriza a los usuarios solo con current_user_can('edit_posts') mientras acepta un valor 'post_type' controlado por el usuario pasado directamente a wp_insert_post() sin comprobaciones de capacidad espec\u00edficas del tipo de publicaci\u00f3n. Esto hace posible que atacantes autenticados, con acceso de nivel Autor y superior, creen publicaciones borrador arbitrarias para tipos de publicaci\u00f3n restringidos (por ejemplo, 'page' y 'nxt_builder') a trav\u00e9s del par\u00e1metro 'post_type'."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "security@wordfence.com"}