Elementor CVE-2026-1206: Sensitive Data Exposure Patched in March 2026
Elementor patched CVE-2026-1206 in version 3.35.8 in March 2026. The vulnerability allowed Contributor-level users to read private and draft Elementor templates they should not have access to.
What Was Disclosed
In March 2026, Elementor released version 3.35.8 to patch CVE-2026-1206, an information disclosure vulnerability affecting all versions up to and including 3.35.7. The vulnerability was discovered by a security researcher and reported to Elementor through a coordinated disclosure process.
CVSS Score: 4.3 (Medium)
Authentication Required: Yes, Contributor-level or higher
Type: Sensitive Information Exposure
What the Vulnerability Exposed
The flaw exists in how Elementor handles template access permissions. A user with at minimum Contributor-level access, which is a standard role with limited publishing permissions, could query the Elementor template system and retrieve the content of private or draft Elementor templates created by other users, including administrators.
In many WordPress installations, Contributor is a role granted to external writers who should not have visibility into unpublished content. This vulnerability undermined that access control model for Elementor templates specifically.
The Elementor Pro and WooCommerce Combination Risk
Separately from CVE-2026-1206, security researchers have identified a higher-severity issue affecting sites running a vulnerable version of Elementor Pro in combination with WooCommerce. In this configuration, any user with a WooCommerce customer account, which is automatically created for anyone who makes a purchase, can create a new administrator account. This escalates a low-privilege user to full admin access.
If your site runs both Elementor Pro and WooCommerce, verifying that you are on the latest version of Elementor Pro is particularly important.
Current Status
As of April 2026, none of the Elementor CVEs disclosed in Q1 2026 have confirmed active exploitation in the wild. However, Elementor is installed on a very large number of sites, making it a consistently attractive target for vulnerability research and exploitation. Keep Elementor and Elementor Pro updated as a standing priority.
How to Check Your Elementor Version
In your WordPress admin panel, navigate to Plugins and search for Elementor. The installed version number is displayed in the plugin listing. Compare it against the latest version available on WordPress.org or Elementor.com. If you are not on 3.35.8 or later, update now.
