CVE-2026-3132

High

Published: 02 March 2026

Published

02 March 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0029 52.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The Master Addons for Elementor Premium plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.3 via the 'JLTMA_Widget_Admin::render_preview'. This is due to missing capability check. This makes it possible for authenticated attackers,…

with Subscriber-level access and above, to execute code on the server.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations, directly addressing the missing capability check in render_preview that allows low-privileged users to execute arbitrary code.

AC-6 Least Privilege good match

prevent

Restricts subscriber-level users to least privileges necessary, preventing exploitation of the admin preview function lacking proper checks.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation by updating the plugin beyond version 2.1.3 to patch the missing capability check vulnerability.

Security SummaryAI

CVE-2026-3132 is a remote code execution vulnerability in the Master Addons for Elementor Premium plugin for WordPress, affecting all versions up to and including 2.1.3. The flaw exists in the 'JLTMA_Widget_Admin::render_preview' method due to a missing capability check, classified under CWE-94 (Code Injection). It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, and low privileges required.

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely without user interaction. By leveraging the insufficient authorization in the render_preview function, they can execute arbitrary code on the affected server, potentially leading to full server compromise, data theft, or further lateral movement within the environment.

Advisories reference the vulnerable code at line 1127 in the plugin's 2.1.3 tag and a subsequent changeset (3471598) modifying the class-jltma-widget-admin.php file, suggesting a patch has been applied in newer trunk versions. Wordfence's threat intelligence page provides additional details on the issue (ID: 76c31190-9db9-4d14-83e0-cbfca812e8ea). Security practitioners should update the plugin beyond version 2.1.3 to mitigate the risk.

Details

CWE(s): CWE-94

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

CVE-2026-3132 enables remote code execution in a public-facing WordPress plugin via missing capability checks, exploitable by low-privileged authenticated users (PR:L), directly facilitating T1190 (Exploit Public-Facing Application) for initial access/escalation and T1068 (Exploitation for Privilege Escalation) from subscriber-level to server-level control.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://plugins.trac.wordpress.org/browser/master-addons/tags/2.1.3/inc/admin/widget-builder/class-jltma-widget-admin.php#L1127
security@wordfence.com
https://plugins.trac.wordpress.org/changeset/3471598/master-addons/trunk/inc/admin/widget-builder/class-jltma-widget-admin.php
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/76c31190-9db9-4d14-83e0-cbfca812e8ea?source=cve
security@wordfence.com