CVE-2026-11600 (GCVE-0-2026-11600)

Vulnerability from cvelistv5 – Published: 2026-07-02 05:35 – Updated: 2026-07-02 05:35
VLAI
Title
Envo's Templates & Widgets for Elementor and WooCommerce <= 1.4.26 - Missing Authorization to Authenticated (Author+) Private Content Disclosure via Envo Tabs Widget 'templates' Setting
Summary
The Envo's Templates & Widgets for Elementor and WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the Envo Tabs (and Off Canvas) widget's template rendering in versions up to, and including, 1.4.26. The render() method of the Tabs widget passes a user-controlled template/post ID directly to Elementor's get_builder_content_for_display() without verifying the referenced post's status (published/private/draft) or the visitor's authorization to view it. This makes it possible for authenticated attackers, with Author-level access and above, to disclose the contents of private Elementor-driven pages and templates to anonymous visitors by configuring an Envo Tabs widget on a public post to reference the private content's ID (which can be supplied by editing the underlying Elementor widget JSON via the Elementor editor REST API).
CWE
Assigner
Impacted products
Credits
Alessandro Greco (Aleff) Giovanbattista Ianni
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Envo\u0027s Templates \u0026 Widgets for Elementor and WooCommerce",
          "vendor": "envothemes",
          "versions": [
            {
              "lessThanOrEqual": "1.4.26",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Alessandro Greco (Aleff)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Giovanbattista Ianni"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Envo\u0027s Templates \u0026 Widgets for Elementor and WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the Envo Tabs (and Off Canvas) widget\u0027s template rendering in versions up to, and including, 1.4.26. The render() method of the Tabs widget passes a user-controlled template/post ID directly to Elementor\u0027s get_builder_content_for_display() without verifying the referenced post\u0027s status (published/private/draft) or the visitor\u0027s authorization to view it. This makes it possible for authenticated attackers, with Author-level access and above, to disclose the contents of private Elementor-driven pages and templates to anonymous visitors by configuring an Envo Tabs widget on a public post to reference the private content\u0027s ID (which can be supplied by editing the underlying Elementor widget JSON via the Elementor editor REST API)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-02T05:35:01.383Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26100f1f-3224-486c-b4f9-7086d405a883?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/tags/1.4.26/modules/tabs/widgets/tabs.php#L1268"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/tags/1.4.26/modules/tabs/widgets/tabs.php#L103"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/tags/1.4.26/modules/off-canvas/widgets/off-canvas.php#L631"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/tags/1.4.25/modules/tabs/widgets/tabs.php#L1268"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/tags/1.4.25/modules/tabs/widgets/tabs.php#L103"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/tags/1.4.25/modules/off-canvas/widgets/off-canvas.php#L631"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3578489%40envo-elementor-for-woocommerce\u0026new=3578489%40envo-elementor-for-woocommerce\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-01T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Envo\u0027s Templates \u0026 Widgets for Elementor and WooCommerce \u003c= 1.4.26 - Missing Authorization to Authenticated (Author+) Private Content Disclosure via Envo Tabs Widget \u0027templates\u0027 Setting"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-11600",
    "datePublished": "2026-07-02T05:35:01.383Z",
    "dateReserved": "2026-06-08T14:54:04.597Z",
    "dateUpdated": "2026-07-02T05:35:01.383Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-11600\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2026-07-02T06:16:13.160\",\"lastModified\":\"2026-07-02T06:16:13.160\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Envo\u0027s Templates \u0026 Widgets for Elementor and WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the Envo Tabs (and Off Canvas) widget\u0027s template rendering in versions up to, and including, 1.4.26. The render() method of the Tabs widget passes a user-controlled template/post ID directly to Elementor\u0027s get_builder_content_for_display() without verifying the referenced post\u0027s status (published/private/draft) or the visitor\u0027s authorization to view it. This makes it possible for authenticated attackers, with Author-level access and above, to disclose the contents of private Elementor-driven pages and templates to anonymous visitors by configuring an Envo Tabs widget on a public post to reference the private content\u0027s ID (which can be supplied by editing the underlying Elementor widget JSON via the Elementor editor REST API).\"}],\"affected\":[{\"source\":\"security@wordfence.com\",\"affectedData\":[{\"vendor\":\"envothemes\",\"product\":\"Envo\u0027s Templates \u0026 Widgets for Elementor and WooCommerce\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"0\",\"lessThanOrEqual\":\"1.4.26\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"references\":[{\"url\":\"https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/tags/1.4.25/modules/off-canvas/widgets/off-canvas.php#L631\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/tags/1.4.25/modules/tabs/widgets/tabs.php#L103\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/tags/1.4.25/modules/tabs/widgets/tabs.php#L1268\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/tags/1.4.26/modules/off-canvas/widgets/off-canvas.php#L631\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/tags/1.4.26/modules/tabs/widgets/tabs.php#L103\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/tags/1.4.26/modules/tabs/widgets/tabs.php#L1268\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3578489%40envo-elementor-for-woocommerce\u0026new=3578489%40envo-elementor-for-woocommerce\u0026sfp_email=\u0026sfph_mail=\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/26100f1f-3224-486c-b4f9-7086d405a883?source=cve\",\"source\":\"security@wordfence.com\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…