CVE-2026-3132
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to execute arbitrary code on servers running the Master Addons for Elementor Premium plugin. Attackers can exploit missing capability checks in the widget preview functionality to achieve remote code execution. All WordPress sites using this plugin up to version 2.1.3 are affected.
💻 Affected Systems
- Master Addons for Elementor Premium WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attackers to install malware, steal data, deface websites, or use the server as part of a botnet.
Likely Case
Website defacement, data theft, installation of backdoors, or cryptocurrency mining malware deployment.
If Mitigated
Limited impact if proper network segmentation and least privilege access controls are implemented.
🎯 Exploit Status
Exploitation requires authenticated access but only at Subscriber level, which is the lowest WordPress user role. Public proof-of-concept code exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.4 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3471598/master-addons/trunk/inc/admin/widget-builder/class-jltma-widget-admin.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Master Addons for Elementor Premium'. 4. Click 'Update Now' if available, or manually update to version 2.1.4+. 5. Verify the plugin version after update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the Master Addons plugin until patched
wp plugin deactivate master-addons
Restrict user registration
allDisable new user registration to prevent attackers from creating Subscriber accounts
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to the vulnerable endpoint
- Apply principle of least privilege: review and remove unnecessary Subscriber accounts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins → Master Addons for Elementor Premium version. If version is 2.1.3 or lower, you are vulnerable.Check Version:
wp plugin get master-addons --field=versionVerify Fix Applied:
After updating, verify the plugin shows version 2.1.4 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=jltma_widget_builder_preview
- Unusual PHP execution patterns in web server logs
- Suspicious file uploads or system command execution
Network Indicators:
- Unusual outbound connections from web server
- Traffic to known malicious domains or IPs
SIEM Query:
source="web_server_logs" AND (uri="/wp-admin/admin-ajax.php" AND parameters CONTAINS "jltma_widget_builder_preview")🔗 References
- https://plugins.trac.wordpress.org/browser/master-addons/tags/2.1.3/inc/admin/widget-builder/class-jltma-widget-admin.php#L1127
- https://plugins.trac.wordpress.org/changeset/3471598/master-addons/trunk/inc/admin/widget-builder/class-jltma-widget-admin.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/76c31190-9db9-4d14-83e0-cbfca812e8ea?source=cve
