HIGHCVE-2026-3132Published 2026-03-02Modified 2026-04-08CNA Wordfence

CVE-2026-3132: Master Addons for Elementor Premium <= 2.1.3 - Authenticated (Subscriber+) Remote Code Execution via render_preview

The Master Addons for Elementor Premium plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.3 via the 'JLTMA_Widget_Admin::render_preview'. This is due to missing capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute code on the server.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Jewel Theme / Master Addons for Elementor Premium
≤ 2.1.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

wordfence.com
plugins.trac.wordpress.org
plugins.trac.wordpress.org

Metrics