Plattform
wordpress
Komponente
master-addons-pro
Behoben in
2.1.4
CVE-2026-3132 is a Remote Code Execution (RCE) vulnerability affecting Master Addons for Elementor Premium, a WordPress plugin. This flaw allows authenticated attackers, even those with Subscriber-level access, to execute arbitrary code on the server. The vulnerability exists in versions 0.0.0 through 2.1.3 and has been resolved in version 2.1.4. Promptly update to the patched version to eliminate this risk.
The impact of this RCE vulnerability is significant. An attacker with Subscriber privileges can gain complete control over the WordPress server hosting the affected website. This could lead to data breaches, website defacement, malware installation, and potentially, lateral movement to other systems on the network. The attacker could steal sensitive data stored within the WordPress database, including user credentials, customer information, and financial details. The ability to execute arbitrary code also allows for persistent backdoors, making the system vulnerable to future attacks even after the initial compromise is addressed.
CVE-2026-3132 was publicly disclosed on March 2, 2026. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's ease of exploitation makes it a likely target for malicious actors. The vulnerability is not currently listed on the CISA KEV catalog. Given the RCE nature and the relatively low privilege requirement (Subscriber), it is considered a high-priority vulnerability to address.
Websites using Master Addons for Elementor Premium, particularly those with a large number of users or handling sensitive data, are at significant risk. Shared hosting environments are especially vulnerable as they often have limited control over plugin updates and security configurations. WordPress sites with weak user access controls, allowing Subscriber-level users broad permissions, are also at increased risk.
• wordpress: Use wp-cli to check plugin versions:
wp plugin list --status=active | grep Master Addons• wordpress: Search plugin files for the vulnerable function JLTMAWidgetAdmin::render_preview using grep:
grep -r 'JLTMA_Widget_Admin::render_preview' /path/to/master-addons-for-elementor-premium• generic web: Monitor access logs for requests to URLs containing JLTMAWidgetAdmin::render_preview.
• generic web: Check response headers for unusual content or code execution indicators.
disclosure
Exploit-Status
EPSS
0.25% (48% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade Master Addons for Elementor Premium to version 2.1.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. A Web Application Firewall (WAF) can be configured to block access to the vulnerable JLTMAWidgetAdmin::render_preview endpoint. Additionally, restrict access to the WordPress admin panel to only authorized users with strong passwords and multi-factor authentication. Regularly review user roles and permissions to ensure the principle of least privilege is enforced.
Aktualisieren Sie auf Version 2.1.4 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-3132 is a Remote Code Execution vulnerability in Master Addons for Elementor Premium WordPress plugin, allowing authenticated attackers to execute code on the server.
You are affected if you are using Master Addons for Elementor Premium versions 0.0.0 through 2.1.3. Check your plugin version immediately.
Upgrade Master Addons for Elementor Premium to version 2.1.4 or later. Consider WAF rules as a temporary mitigation if immediate upgrade is not possible.
While no public exploits are currently known, the vulnerability's ease of exploitation makes it a likely target for malicious actors. Monitor your systems closely.
Refer to the official Master Addons for Elementor Premium website or WordPress plugin repository for the latest security advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.