Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-11600

CVE-2026-11600: Envo Elementor Plugin Info Disclosure Flaw

CVE-2026-11600 is an information disclosure vulnerability in Envo's Templates & Widgets for Elementor plugin that allows authenticated attackers to expose private content. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-11600 Overview

CVE-2026-11600 is a missing authorization vulnerability in the Envo's Templates & Widgets for Elementor and WooCommerce plugin for WordPress. The flaw affects all versions up to and including 1.4.26. The Envo Tabs widget's render() method passes a user-controlled template or post ID directly to Elementor's get_builder_content_for_display() function. The plugin does not verify the referenced post's status (published, private, or draft) or the visitor's authorization to view it. Authenticated attackers with Author-level access or above can disclose the contents of private Elementor-driven pages and templates to anonymous visitors.

Critical Impact

Authenticated users with Author privileges can expose the contents of private WordPress pages and templates to unauthenticated visitors through a crafted Envo Tabs widget configuration.

Affected Products

  • Envo's Templates & Widgets for Elementor and WooCommerce plugin for WordPress
  • All versions up to and including 1.4.26
  • Affected modules: Envo Tabs widget and Off Canvas widget

Discovery Timeline

  • 2026-07-02 - CVE-2026-11600 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-11600

Vulnerability Analysis

The vulnerability stems from a missing authorization check in the plugin's widget rendering logic [CWE-862]. The render() method of the Envo Tabs widget accepts a template or post ID from widget configuration data. It passes that identifier directly to Elementor's get_builder_content_for_display() function without validation. The function returns rendered template content regardless of the post's publication status or the current visitor's permissions.

Attackers exploit this by embedding an Envo Tabs widget on any public post. They supply the ID of a private page or template through the underlying Elementor widget JSON. The Elementor editor REST API allows Author-level users to submit this JSON directly. When any visitor loads the public post, the widget renders the private content inline.

Root Cause

The root cause is the absence of a permission check before rendering referenced Elementor content. The plugin trusts the widget configuration as authoritative. It does not call current_user_can() or check the target post's post_status before invoking the Elementor builder rendering function. See the WordPress Tabs Widget Code and the WordPress Off-Canvas Widget Code for the vulnerable code paths.

Attack Vector

An attacker with Author-level access authenticates to the WordPress site. They create or edit a public post using the Elementor editor. Through the Elementor editor REST API, they modify the Envo Tabs widget JSON to reference the numeric ID of a private page, draft, or template. Once the public post is saved, anonymous visitors accessing that URL receive the private content rendered on the page.

The vulnerability requires authentication and low attack complexity. Exploitation results in confidentiality impact only, with no integrity or availability effects. Refer to the Wordfence Vulnerability Report for additional analysis.

Detection Methods for CVE-2026-11600

Indicators of Compromise

  • Public posts containing Envo Tabs or Off Canvas widgets that reference template or post IDs not owned by the post author
  • Unusual REST API calls to Elementor editor endpoints from Author-level accounts modifying widget JSON payloads
  • Anonymous visitor traffic to public posts returning content strings sourced from private or draft pages

Detection Strategies

  • Audit the post_meta_elementor_data field for Envo Tabs and Off Canvas widget entries referencing post IDs whose post_status is not publish
  • Review WordPress access logs for Author-level accounts sending POST requests to /wp-json/elementor/v1/ endpoints modifying tab widget templates
  • Compare rendered public post output against known private content signatures to identify data disclosure

Monitoring Recommendations

  • Log all Elementor REST API write operations and correlate against user role and referenced post IDs
  • Monitor for the plugin envo-elementor-for-woocommerce at versions 1.4.26 and earlier across managed WordPress installations
  • Alert on newly created or modified public posts that reference private post IDs within Elementor widget configurations

How to Mitigate CVE-2026-11600

Immediate Actions Required

  • Update the Envo's Templates & Widgets for Elementor and WooCommerce plugin to a version later than 1.4.26 once the vendor publishes a fixed release
  • Restrict Author-level and higher account provisioning to trusted users only until the plugin is updated
  • Review all public posts containing Envo Tabs or Off Canvas widgets and remove references to private template or post IDs

Patch Information

The vulnerability affects versions up to and including 1.4.26. Review the WordPress Change Log Entry for the plugin's changeset history and apply any available updates from the WordPress plugin repository.

Workarounds

  • Deactivate the Envo's Templates & Widgets for Elementor and WooCommerce plugin until an updated version is available
  • Remove Author-level access from accounts that do not require content editing privileges
  • Deploy a web application firewall rule to block REST API requests that modify Elementor widget JSON to include unpublished post IDs
bash
# Configuration example: disable the plugin via WP-CLI
wp plugin deactivate envo-elementor-for-woocommerce

# Verify plugin status
wp plugin status envo-elementor-for-woocommerce

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.