Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
2 vulnerabilities found for Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor by thimpress
CVE-2026-1870 (GCVE-0-2026-1870)
Vulnerability from nvd – Published: 2026-03-14 13:24 – Updated: 2026-03-14 13:24
VLAI?
Title
Thim Kit for Elementor <= 1.3.7 - Missing Authorization to Unauthenticated Private Course Disclosure
Summary
The Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing validation checks on the 'thim-ekit/archive-course/get-courses' REST endpoint callback function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to disclose private or draft LearnPress course content by supplying post_status in the params_url payload.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| thimpress | Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor |
Affected:
* , ≤ 1.3.7
(semver)
|
Credits
Youssef Elouaer
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Thim Kit for Elementor \u2013 Pre-built Templates \u0026 Widgets for Elementor",
"vendor": "thimpress",
"versions": [
{
"lessThanOrEqual": "1.3.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Youssef Elouaer"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Thim Kit for Elementor \u2013 Pre-built Templates \u0026 Widgets for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing validation checks on the \u0027thim-ekit/archive-course/get-courses\u0027 REST endpoint callback function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to disclose private or draft LearnPress course content by supplying post_status in the params_url payload."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-14T13:24:42.173Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7c82577a-e7ee-4549-8d0f-bed09effa035?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3467195/thim-elementor-kit"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-04T03:25:32.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-14T00:34:04.000Z",
"value": "Disclosed"
}
],
"title": "Thim Kit for Elementor \u003c= 1.3.7 - Missing Authorization to Unauthenticated Private Course Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1870",
"datePublished": "2026-03-14T13:24:42.173Z",
"dateReserved": "2026-02-03T23:11:32.158Z",
"dateUpdated": "2026-03-14T13:24:42.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1870 (GCVE-0-2026-1870)
Vulnerability from cvelistv5 – Published: 2026-03-14 13:24 – Updated: 2026-03-14 13:24
VLAI?
Title
Thim Kit for Elementor <= 1.3.7 - Missing Authorization to Unauthenticated Private Course Disclosure
Summary
The Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing validation checks on the 'thim-ekit/archive-course/get-courses' REST endpoint callback function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to disclose private or draft LearnPress course content by supplying post_status in the params_url payload.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| thimpress | Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor |
Affected:
* , ≤ 1.3.7
(semver)
|
Credits
Youssef Elouaer
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Thim Kit for Elementor \u2013 Pre-built Templates \u0026 Widgets for Elementor",
"vendor": "thimpress",
"versions": [
{
"lessThanOrEqual": "1.3.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Youssef Elouaer"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Thim Kit for Elementor \u2013 Pre-built Templates \u0026 Widgets for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing validation checks on the \u0027thim-ekit/archive-course/get-courses\u0027 REST endpoint callback function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to disclose private or draft LearnPress course content by supplying post_status in the params_url payload."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-14T13:24:42.173Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7c82577a-e7ee-4549-8d0f-bed09effa035?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3467195/thim-elementor-kit"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-04T03:25:32.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-14T00:34:04.000Z",
"value": "Disclosed"
}
],
"title": "Thim Kit for Elementor \u003c= 1.3.7 - Missing Authorization to Unauthenticated Private Course Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1870",
"datePublished": "2026-03-14T13:24:42.173Z",
"dateReserved": "2026-02-03T23:11:32.158Z",
"dateUpdated": "2026-03-14T13:24:42.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}