REPORT / 01
Analysis Report · Folder Analysis cache/essential-addons-for-elementor-lite_6.5.5 → cache/essential-addons-for-elementor-lite_6.5.6 — CVE-2026-1004
Shared security patch analysis results
02 ·
Lifecycle actions
cancel · resume · skip · regenerate
03 ·
Share this analysis
copy link · embed report
03 ·
CVE Security Analysis & Writeups
ai-generated · per cve
Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.
CVE-2026-1004
NVD
AI-Generated Analysis
05 ·
Findings
filter · search · paginate
Showing 0 to 0 of 0 results
includes/Elements/Woo_Product_Carousel.php
AI: 2 vulnerabilities
2 false positives
CVE-2026-1004
--- cache/essential-addons-for-elementor-lite_6.5.5/includes/Elements/Woo_Product_Carousel.php 2026-01-16 00:20:08.736178051 +0000+++ cache/essential-addons-for-elementor-lite_6.5.6/includes/Elements/Woo_Product_Carousel.php 2026-01-16 00:21:01.819509438 +0000@@ -3250,13 +3250,13 @@ if ( in_array( $product_purchase_type, ['purchased', 'not-purchased'] ) ) { $user_ordered_products = HelperClass::eael_get_all_user_ordered_products(); $no_products_found = empty( $user_ordered_products ) && 'purchased' === $product_purchase_type ? 1 : 0;- + if ( ! empty( $user_ordered_products ) && 'purchased' === $product_purchase_type ){- $args['post__in'] = $user_ordered_products;+ $args['include'] = $user_ordered_products; } if ( ! empty( $user_ordered_products ) && 'not-purchased' === $product_purchase_type ){- $args['post__not_in'] = $user_ordered_products;+ $args['exclude'] = array_merge( $args['exclude'] ?? [], $user_ordered_products ); } } }@@ -3294,7 +3294,7 @@ if( 'yes' !== $settings['enable_marquee'] ){ if ( file_exists( $template ) && $settings['image_dots'] === 'yes') {- $this->render_image_dots($query);+ $this->render_image_dots( $query ); } else { $this->render_dots(); }@@ -3325,7 +3325,7 @@ <?php } } - protected function render_image_dots($query)+ protected function render_image_dots( $query ) { $settings = $this->get_settings_for_display(); @@ -3411,7 +3411,141 @@ } /**- * Build proper query to fetch product data from wp query+ * Build proper query to fetch product data from WC_Product_Query+ * @return array+ */+ public function product_wc_query_builder(){+ $settings = $this->get_settings_for_display();+ $widget_id = esc_attr( $this->get_id() );+ $settings[ 'eael_widget_id' ] = $widget_id;+ $order_by = $settings[ 'orderby' ];+ $filter = $settings[ 'eael_product_carousel_product_filter' ];+ $args = [+ 'status' => !empty( $settings['eael_product_carousel_products_status'] ) ? $settings['eael_product_carousel_products_status'] : ['publish'],+ 'limit' => $settings[ 'eael_product_carousel_products_count' ] ?: 4,+ 'order' => $settings[ 'order' ],+ 'offset' => $settings[ 'product_offset' ],+ 'exclude' => array( get_the_ID() ),+ 'paginate' => true,+ 'return' => 'objects',+ 'visibility' => 'visible',+ ];++ // Handle orderby with WC_Product_Query native parameters+ if ( $order_by == '_price' ) {+ $args[ 'orderby' ] = 'price';+ } elseif ( $order_by == '_sku' ) {+ $args[ 'orderby' ] = 'sku';+ } else {+ $args[ 'orderby' ] = $order_by;+ }++ if ( $filter == 'featured-products' ) {+ $args[ 'featured' ] = true;+ }++ if ( $filter == 'best-selling-products' ) {+ $args[ 'orderby' ] = 'total_sales';+ $args[ 'order' ] = 'DESC';+ }++ if ( $filter == 'top-products' ) {+ $args[ 'orderby' ] = 'average_rating';+ $args[ 'order' ] = 'DESC';+ }++ if ( $filter == 'related-products' ) {+ $current_product_id = get_the_ID();+ $product_categories = wp_get_post_terms( $current_product_id, 'product_cat', array( 'fields' => 'ids' ) );+ $product_tags = wp_get_post_terms( $current_product_id, 'product_tag', array('fields' => 'names' ) );+ $args['tax_query'] = array(+ 'relation' => 'OR',+ array(+ 'taxonomy' => 'product_cat',+ 'field' => 'term_id',+ 'terms' => $product_categories,+ 'operator' => 'IN',+ ),+ array(+ 'taxonomy' => 'product_tag',+ 'field' => 'name',+ 'terms' => $product_tags,+ 'operator' => 'IN',+ ),+ );+ }++ if ( get_option( 'woocommerce_hide_out_of_stock_items' ) == 'yes' ) {+ $args[ 'stock_status' ] = 'instock';+ }++ // Handle on sale products exclusion+ if ( 'yes' !== $settings['eael_product_carousel_show_onsale'] ) {+ $on_sale_ids = wc_get_product_ids_on_sale();+ if ( ! empty( $on_sale_ids ) ) {+ $args['post__not_in'] = isset( $args['post__not_in'] ) ?+ array_merge( $args['post__not_in'], $on_sale_ids ) :+ $on_sale_ids;+ }+ }++ if ( $filter == 'sale-products' ) {+ $sale_ids = wc_get_product_ids_on_sale();+ $args['include'] = !empty( $sale_ids ) ? $sale_ids : [ 0 ];+ }++ if ( $filter == 'manual' ) {+ $args['include'] = ! empty( $settings['eael_product_carousel_products_in'] ) ? $settings['eael_product_carousel_products_in'] : [ 0 ];+ }+++ // Handle taxonomy filters+ $taxonomies = get_taxonomies( [ 'object_type' => [ 'product' ] ], 'objects' );+ foreach ( $taxonomies as $object ) {+ echo_pre( $object );+ $setting_key = $object->name . '_ids';++ if ( empty( $settings[ $setting_key ] ) ) {+ continue;+ }++ $terms = get_terms( [+ 'taxonomy' => $object->name,+ 'include' => $settings[ $setting_key ],+ 'hide_empty' => false,+ ] );++ if ( empty( $terms ) || is_wp_error( $terms ) ) {+ continue;+ }++ $slugs = wp_list_pluck( $terms, 'slug' );++ // Categories+ if ( $object->name === 'product_cat' ) {+ $args['category'] = $slugs;+ continue;+ }++ // Tags+ if ( $object->name === 'product_tag' ) {+ $args['tag'] = $slugs;+ continue;+ }++ // Attributes+ if ( strpos( $object->name, 'pa_' ) === 0 ) {+ $args['attribute'] = substr( $object->name, 3 );+ $args['attribute_term'] = $slugs;+ continue;+ }+ }++ return $args;+ }++ /**+ * Build proper query to fetch product data from wp_query * @return array */ public function product_query_builder(){@@ -3537,6 +3671,82 @@ return $args; } + /**+ * Convert WP_Query arguments to WC_Product_Query arguments+ * @param array $wp_args Original WP_Query arguments+ * @param array $settings Widget settings+ * @return array WC_Product_Query compatible arguments+ */+ public function convert_wp_query_args_to_wc_product_query( $wp_args, $settings = [] ) {+ $wc_args = [+ 'paginate' => true,+ 'return' => 'objects',+ 'visibility' => 'visible'+ ];++ // Parameter mapping+ $arg_mapping = [+ 'posts_per_page' => 'limit',+ 'post_status' => 'status',+ 'post__in' => 'include',+ 'post__not_in' => 'exclude',+ 'author__in' => 'author',+ 'paged' => 'page',+ ];++ foreach ( $arg_mapping as $wp_key => $wc_key ) {+ if ( isset( $wp_args[ $wp_key ] ) ) {+ $wc_args[ $wc_key ] = $wp_args[ $wp_key ];+ }+ }++ // Handle other parameters+ $direct_copy = [ 'orderby', 'order', 'offset' ];+ foreach ( $direct_copy as $key ) {+ if ( isset( $wp_args[ $key ] ) ) {+ $wc_args[ $key ] = $wp_args[ $key ];+ }+ }++ // Handle search+ if ( isset( $wp_args['s'] ) ) {+ $wc_args['search'] = $wp_args['s'];+ }++ // Preserve complex queries+ if ( isset( $wp_args['meta_query'] ) ) {+ $wc_args['meta_query'] = $wp_args['meta_query'];+ }+ if ( isset( $wp_args['tax_query'] ) ) {+ $wc_args['tax_query'] = $wp_args['tax_query'];+ }++ // Handle meta_key/meta_value+ if ( isset( $wp_args['meta_key'] ) ) {+ if ( ! isset( $wc_args['meta_query'] ) ) {+ $wc_args['meta_query'] = [ 'relation' => 'AND' ];+ }+ $meta_query = [ 'key' => $wp_args['meta_key'] ];+ if ( isset( $wp_args['meta_value'] ) ) {+ $meta_query['value'] = $wp_args['meta_value'];+ }+ if ( isset( $wp_args['meta_compare'] ) ) {+ $meta_query['compare'] = $wp_args['meta_compare'];+ }+ $wc_args['meta_query'][] = $meta_query;+ }++ // Apply settings-based parameters+ if ( ! empty( $settings['eael_product_carousel_products_status'] ) ) {+ $wc_args['status'] = array_intersect(+ (array) $settings['eael_product_carousel_products_status'],+ [ 'publish', 'draft', 'pending', 'future' ]+ );+ }++ return $wc_args;+ }+ public function load_quick_view_asset(){ add_action('wp_footer',function (){ if ( version_compare( WC()->version, '3.0.0', '>=' ) ) {
AI Analysis
I'll analyze this code diff for security vulnerabilities following the specified format.
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
**Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)** - CWE-79 - includes/Elements/Woo_Product_Carousel.php - Line 3417
Old Code:
```php
$widget_id = esc_attr( $this->get_id() );
```
Fixed Code:
```php
$widget_id = esc_attr( $this->get_id() );
```
Explanation:
While the code does use `esc_attr()`, the vulnerability exists in how `$widget_id` is used. The assignment is identical in both versions, so this is NOT a fix. However, examining the broader context, the variable `$widget_id` is stored in settings array at line 3418 (`$settings[ 'eael_widget_id' ] = $widget_id;`) but there's no evidence in this diff that it's being properly escaped when later output in HTML contexts. The fix appears incomplete if this value is used in HTML output elsewhere.
---
**Vulnerability 2:**
Vulnerability Existed: yes
FALSE POSITIVE
**Improper Neutralization of SQL Command ('SQL Injection')** - CWE-89 - includes/Elements/Woo_Product_Carousel.php - Lines 3475-3478
Old Code:
```php
$args['post__not_in'] = isset( $args['post__not_in'] ) ?
array_merge( $args['post__not_in'], $on_sale_ids ) :
$on_sale_ids;
```
Fixed Code:
```php
$args['post__not_in'] = isset( $args['post__not_in'] ) ?
array_merge( $args['post__not_in'], $on_sale_ids ) :
$on_sale_ids;
```
Explanation:
The code in the new `product_wc_query_builder()` method uses `'post__not_in'` parameter (line 3475-3478), which is a WP_Query parameter but not compatible with WC_Product_Query. The function is supposed to build WC_Product_Query arguments (per the docstring), but it's using deprecated WP_Query syntax. This could lead to the parameter being ignored and unintended products being displayed. However, this appears to be a logic error rather than a direct SQL injection vulnerability, as WordPress escapes these parameters internally.
---
**Vulnerability 3:**
Vulnerability Existed: not sure
**Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)** - CWE-79 - includes/Elements/Woo_Product_Carousel.php - Line 3427
Old Code:
```php
(no prior code shown)
```
Fixed Code:
```php
echo_pre( $object );
```
Explanation:
The new code at line 3427 calls `echo_pre( $object )` which appears to be a debug function. This is a potential security concern because: (1) `echo_pre()` is likely a custom function not shown in this diff, (2) echoing object data directly without sanitization could expose sensitive information or allow XSS if the object properties contain user input, (3) debug output should not be in production code. Without seeing the `echo_pre()` function definition, it's uncertain if it properly escapes output, but having debug output in production code is itself a security concern.
---
**Vulnerability 4:**
Vulnerability Existed: not sure
**Missing Input Validation** - CWE-20 - includes/Elements/Woo_Product_Carousel.php - Lines 3493-3495
Old Code:
```php
(no prior code shown)
```
Fixed Code:
```php
if ( strpos( $object->name, 'pa_' ) === 0 ) {
$args['attribute'] = substr( $object->name, 3 );
$args['attribute_term'] = $slugs;
```
Explanation:
The code uses `substr()` on `$object->name` without validating its length. If `$object->name` is exactly 'pa_' or shorter, `substr()` could produce unexpected results. Additionally, `$slugs` (derived from taxonomy terms) is assigned directly to query arguments without additional sanitization beyond what `wp_list_pluck()` provides. While WordPress typically handles this safely, the assumption that taxonomy slugs are always safe should be validated.
CVE Analysis Results:
CVE-2026-1004: Yes
View CVE Description
The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted.
includes/Traits/Ajax_Handler.php
AI: Not Sure
1 true positive
CVE-2026-1004
--- cache/essential-addons-for-elementor-lite_6.5.5/includes/Traits/Ajax_Handler.php 2026-01-16 00:20:08.756179307 +0000+++ cache/essential-addons-for-elementor-lite_6.5.6/includes/Traits/Ajax_Handler.php 2026-01-16 00:21:04.531679508 +0000@@ -171,6 +171,9 @@ if ( $class === '\Essential_Addons_Elementor\Elements\Product_Grid' ) { do_action( 'eael_woo_before_product_loop', $settings['eael_product_grid_style_preset'] ); }+ if ( $class === '\Essential_Addons_Elementor\Elements\Woo_Product_List' ) {+ do_action( 'eael/woo-product-list/before-product-loop' );+ } // ensure control name compatibility to old code if it is post block if ( $class === '\Essential_Addons_Elementor\Pro\Elements\Post_Block' ) { $settings ['post_block_hover_animation'] = $settings['eael_post_block_hover_animation'];@@ -283,39 +286,90 @@ if ( $file_path ) { // wp_send_json( $args );- $query = new \WP_Query( $args );- $found_posts = $query->found_posts;- $iterator = 0;-- if ( $query->have_posts() ) {- if ( $class === '\Essential_Addons_Elementor\Elements\Product_Grid' && boolval( $settings['show_add_to_cart_custom_text'] ) ) {-- $add_to_cart_text = [- 'add_to_cart_simple_product_button_text' => $settings['add_to_cart_simple_product_button_text'],- 'add_to_cart_variable_product_button_text' => $settings['add_to_cart_variable_product_button_text'],- 'add_to_cart_grouped_product_button_text' => $settings['add_to_cart_grouped_product_button_text'],- 'add_to_cart_external_product_button_text' => $settings['add_to_cart_external_product_button_text'],- 'add_to_cart_default_product_button_text' => $settings['add_to_cart_default_product_button_text'],- ];- $this->change_add_woo_checkout_update_order_reviewto_cart_text( $add_to_cart_text );+ // Use WC_Product_Query for Product_Grid and Woo_Product_List, WP_Query for others+ if ( $class === '\Essential_Addons_Elementor\Elements\Product_Grid' || $class === '\Essential_Addons_Elementor\Elements\Woo_Product_List' ) {+ // Convert args to WC_Product_Query format+ $wc_args = $this->convert_pagination_args_to_wc_product_query( $args, $settings );+ $wc_query = new \WC_Product_Query( $wc_args );+ $products = $wc_query->get_products();++ // Handle WC_Product_Query results+ if ( is_object( $products ) && isset( $products->products ) ) {+ $product_objects = $products->products;+ $found_posts = $products->total;+ } else {+ $product_objects = $products;+ $found_posts = count( $products ); } - if ( $class === '\Essential_Addons_Elementor\Pro\Elements\Dynamic_Filterable_Gallery' ) {- $html .= "<div class='found_posts' style='display: none;'>{$found_posts}</div>";- }+ $iterator = 0;++ if ( ! empty( $product_objects ) ) {+ // Handle custom add to cart text for Product_Grid+ if ( $class === '\Essential_Addons_Elementor\Elements\Product_Grid' && boolval( $settings['show_add_to_cart_custom_text'] ) ) {+ $add_to_cart_text = [+ 'add_to_cart_simple_product_button_text' => $settings['add_to_cart_simple_product_button_text'],+ 'add_to_cart_variable_product_button_text' => $settings['add_to_cart_variable_product_button_text'],+ 'add_to_cart_grouped_product_button_text' => $settings['add_to_cart_grouped_product_button_text'],+ 'add_to_cart_external_product_button_text' => $settings['add_to_cart_external_product_button_text'],+ 'add_to_cart_default_product_button_text' => $settings['add_to_cart_default_product_button_text'],+ ];+ $this->change_add_woo_checkout_update_order_reviewto_cart_text( $add_to_cart_text );+ } - while ( $query->have_posts() ) {- $query->the_post();+ // Handle custom add to cart text for Woo_Product_List+ if ( $class === '\Essential_Addons_Elementor\Elements\Woo_Product_List' && boolval( $settings['eael_product_list_content_footer_add_to_cart_custom_text_show'] ) ) {+ $add_to_cart_text = [+ 'add_to_cart_simple_product_button_text' => $settings['eael_product_list_content_footer_add_to_cart_simple_text'],+ 'add_to_cart_variable_product_button_text' => $settings['eael_product_list_content_footer_add_to_cart_variable_text'],+ 'add_to_cart_grouped_product_button_text' => $settings['eael_product_list_content_footer_add_to_cart_grouped_text'],+ 'add_to_cart_external_product_button_text' => $settings['eael_product_list_content_footer_add_to_cart_external_text'],+ 'add_to_cart_default_product_button_text' => $settings['eael_product_list_content_footer_add_to_cart_default_text'],+ ];+ $this->change_add_woo_checkout_update_order_reviewto_cart_text( $add_to_cart_text );+ } - $html .= HelperClass::include_with_variable( $file_path, [- 'settings' => $settings,- 'link_settings' => $link_settings,- 'iterator' => $iterator- ] );- $iterator ++;+ // Iterate through WC_Product objects+ foreach ( $product_objects as $product ) {+ global $post;+ $post = get_post( $product->get_id() );+ setup_postdata( $post );++ $html .= HelperClass::include_with_variable( $file_path, [+ 'settings' => $settings,+ 'link_settings' => $link_settings,+ 'iterator' => $iterator+ ] );+ $iterator ++;+ }+ wp_reset_postdata();+ } else {+ $html .= __( '<p class="no-posts-found">No posts found!</p>', 'essential-addons-for-elementor-lite' ); } } else {- $html .= '<p class="no-posts-found">' . esc_html__( 'No posts found!', 'essential-addons-for-elementor-lite' ) . '</p>';+ // Use WP_Query for non-product widgets+ $query = new \WP_Query( $args );+ $found_posts = $query->found_posts;+ $iterator = 0;++ if ( $query->have_posts() ) {+ if ( $class === '\Essential_Addons_Elementor\Pro\Elements\Dynamic_Filterable_Gallery' ) {+ $html .= "<div class='found_posts' style='display: none;'>{$found_posts}</div>";+ }++ while ( $query->have_posts() ) {+ $query->the_post();++ $html .= HelperClass::include_with_variable( $file_path, [+ 'settings' => $settings,+ 'link_settings' => $link_settings,+ 'iterator' => $iterator+ ] );+ $iterator ++;+ }+ } else {+ $html .= '<p class="no-posts-found">' . esc_html__( 'No posts found!', 'essential-addons-for-elementor-lite' ) . '</p>';+ } } } }@@ -323,6 +377,9 @@ if ( $class === '\Essential_Addons_Elementor\Elements\Product_Grid' ) { do_action( 'eael_woo_after_product_loop', $settings['eael_product_grid_style_preset'] ); }+ if ( $class === '\Essential_Addons_Elementor\Elements\Woo_Product_List' ) {+ do_action( 'eael/woo-product-list/after-product-loop' );+ } while ( ob_get_status() ) { ob_end_clean(); }@@ -563,22 +620,26 @@ $settings['eael_widget_id'] = $widget_id; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated wp_parse_str( $_REQUEST['args'], $args );- $args['post_status'] = array_intersect( (array) $settings['eael_product_grid_products_status'], [ 'publish', 'draft', 'pending', 'future' ] ); - if ( isset( $args['date_query']['relation'] ) ) {- $args['date_query']['relation'] = HelperClass::eael_sanitize_relation( $args['date_query']['relation'] );+ // Convert WP_Query args to WC_Product_Query args if needed+ $wc_args = $this->convert_pagination_args_to_wc_product_query( $args, $settings );++ if ( isset( $wc_args['date_query']['relation'] ) ) {+ $wc_args['date_query']['relation'] = HelperClass::eael_sanitize_relation( $wc_args['date_query']['relation'] ); } $paginationNumber = ! empty( $_POST['number'] ) ? absint( $_POST['number'] ) : 1; $paginationLimit = ! empty( $_POST['limit'] ) ? absint( $_POST['limit'] ) : 10; - $args['posts_per_page'] = $paginationLimit;+ $wc_args['limit'] = $paginationLimit;+ $wc_args['page'] = $paginationNumber; + // Calculate offset for WC_Product_Query if ( $paginationNumber == "1" ) { $paginationOffsetValue = "0"; } else { $paginationOffsetValue = ( $paginationNumber - 1 ) * $paginationLimit;- $args['offset'] = $paginationOffsetValue;+ $wc_args['offset'] = $paginationOffsetValue; } // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated@@ -588,8 +649,19 @@ $template = realpath( $this->get_template( $template_info['file_name'] ) ); ob_start();- $query = new \WP_Query( $args );- if ( $query->have_posts() ) {++ // Use WC_Product_Query for product queries+ $wc_query = new \WC_Product_Query( $wc_args );+ $products = $wc_query->get_products();++ // Handle WC_Product_Query results+ if ( is_object( $products ) && isset( $products->products ) ) {+ $product_objects = $products->products;+ } else {+ $product_objects = $products;+ }++ if ( ! empty( $product_objects ) ) { if ( isset( $template_info['name'] ) && $template_info['name'] === 'eicon-woocommerce' && boolval( $settings['show_add_to_cart_custom_text'] ) ){ $add_to_cart_text = [ 'add_to_cart_simple_product_button_text' => $settings['add_to_cart_simple_product_button_text'],@@ -601,8 +673,11 @@ $this->change_add_woo_checkout_update_order_reviewto_cart_text( $add_to_cart_text ); } - while ( $query->have_posts() ) {- $query->the_post();+ // Iterate through WC_Product objects+ foreach ( $product_objects as $product ) {+ global $post;+ $post = get_post( $product->get_id() );+ setup_postdata( $post ); include( $template ); } wp_reset_postdata();@@ -613,6 +688,86 @@ } /**+ * Convert pagination arguments to WC_Product_Query arguments+ * @param array $args Original arguments from pagination+ * @param array $settings Widget settings+ * @return array WC_Product_Query compatible arguments+ */+ private function convert_pagination_args_to_wc_product_query( $args, $settings ) {+ $wc_args = [+ 'paginate' => true,+ 'return' => 'objects',+ ];++ // Map common WP_Query args to WC_Product_Query args+ $arg_mapping = [+ 'posts_per_page' => 'limit',+ 'post_status' => 'status',+ 'post__in' => 'include',+ 'post__not_in' => 'exclude',+ 'author__in' => 'author',+ 'paged' => 'page',+ ];++ foreach ( $arg_mapping as $wp_key => $wc_key ) {+ if ( isset( $args[ $wp_key ] ) ) {+ $wc_args[ $wc_key ] = $args[ $wp_key ];+ }+ }++ // Handle other common args+ if ( isset( $args['orderby'] ) ) {+ $wc_args['orderby'] = $args['orderby'];+ }+ if ( isset( $args['order'] ) ) {+ $wc_args['order'] = $args['order'];+ }+ if ( isset( $args['offset'] ) ) {+ $wc_args['offset'] = $args['offset'];+ }+ if ( isset( $args['s'] ) ) {+ $wc_args['search'] = $args['s'];+ }++ // Handle meta_query and tax_query+ if ( isset( $args['meta_query'] ) ) {+ $wc_args['meta_query'] = $args['meta_query'];+ }+ if ( isset( $args['tax_query'] ) ) {+ $wc_args['tax_query'] = $args['tax_query'];+ }++ // Handle meta_key and meta_value+ if ( isset( $args['meta_key'] ) ) {+ if ( ! isset( $wc_args['meta_query'] ) ) {+ $wc_args['meta_query'] = ['relation' => 'AND'];+ }+ $meta_query = [+ 'key' => $args['meta_key'],+ ];+ if ( isset( $args['meta_value'] ) ) {+ $meta_query['value'] = $args['meta_value'];+ }+ if ( isset( $args['meta_compare'] ) ) {+ $meta_query['compare'] = $args['meta_compare'];+ }+ $wc_args['meta_query'][] = $meta_query;+ }++ // Set product status from settings (handle both Product_Grid and Woo_Product_List)+ if ( ! empty( $settings['eael_product_grid_products_status'] ) ) {+ $wc_args['status'] = array_intersect( (array) $settings['eael_product_grid_products_status'], [ 'publish', 'draft', 'pending', 'future' ] );+ } elseif ( ! empty( $settings['eael_product_list_products_status'] ) ) {+ $wc_args['status'] = array_intersect( (array) $settings['eael_product_list_products_status'], [ 'publish', 'draft', 'pending', 'future' ] );+ }++ // Set visibility+ $wc_args['visibility'] = 'visible';++ return $wc_args;+ }++ /** * Woo Pagination Ajax * Return pagination list for product post type while used Product_Grid widget *@@ -828,9 +983,21 @@ wp_send_json_error(); } - // global $post, $product;+ global $post, $product; $product = wc_get_product( $product_id ); $post = get_post( $product_id );++ // SECURITY FIX: Verify product exists and is visible+ if ( ! $product || ! $product->is_visible() ) {+ wp_send_json_error( __( 'Product not found or not accessible', 'essential-addons-for-elementor-lite' ) );+ }++ // Also verify post status for non-admin users+ $post = get_post( $product_id );+ if ( ! current_user_can( 'edit_post', $product_id ) && $post->post_status !== 'publish' ) {+ wp_send_json_error( __( 'Product not found or not accessible', 'essential-addons-for-elementor-lite' ) );+ }+ setup_postdata( $post ); $settings = $this->eael_get_widget_settings( $page_id, $widget_id );@@ -986,25 +1153,42 @@ ) ); if ( ! $file_path || 0 !== strpos( $file_path, realpath( $dir_path ) ) ) {- wp_send_json_error( 'Invalid template', 'invalid_template', 400 );+ wp_send_json_error( 'Invalid template', 'invalid_template', '400' ); } $html = ''; if ( $file_path ) {- $query = new \WP_Query( $args );+ // Convert args to WC_Product_Query format for product gallery+ $wc_args = $this->convert_pagination_args_to_wc_product_query( $args, $settings );+ $wc_query = new \WC_Product_Query( $wc_args );+ $products = $wc_query->get_products();++ // Handle WC_Product_Query results+ if ( is_object( $products ) && isset( $products->products ) ) {+ $product_objects = $products->products;+ $found_posts = $products->total;+ $max_num_pages = $products->max_num_pages;+ } else {+ $product_objects = $products;+ $found_posts = count( $products );+ $max_num_pages = 1;+ } - if ( $query->have_posts() ) {+ if ( ! empty( $product_objects ) ) { do_action( 'eael_woo_before_product_loop' ); - while ( $query->have_posts() ) {- $query->the_post();+ // Iterate through WC_Product objects+ foreach ( $product_objects as $product ) {+ global $post;+ $post = get_post( $product->get_id() );+ setup_postdata( $post ); $html .= HelperClass::include_with_variable( $file_path, [ 'settings' => $settings ] ); }- + do_action( 'eael_woo_after_product_loop' ); - $html .= '<div class="eael-max-page" style="display:none;">'. ceil($query->found_posts / absint( $args['posts_per_page'] ) ) . '</div>';+ $html .= '<div class="eael-max-page" style="display:none;">'. $max_num_pages . '</div>'; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo $html;
AI Analysis
# Security Analysis Report
## Vulnerability 1
**Vulnerability Existed:** yes
TRUE POSITIVE
**Improper Access Control - CWE-284** - includes/Traits/Ajax_Handler.php [Lines 986-1000]
**Old Code:**
```php
// global $post, $product;
$product = wc_get_product( $product_id );
$post = get_post( $product_id );
setup_postdata( $post );
```
**Fixed Code:**
```php
global $post, $product;
$product = wc_get_product( $product_id );
$post = get_post( $product_id );
// SECURITY FIX: Verify product exists and is visible
if ( ! $product || ! $product->is_visible() ) {
wp_send_json_error( __( 'Product not found or not accessible', 'essential-addons-for-elementor-lite' ) );
}
// Also verify post status for non-admin users
$post = get_post( $product_id );
if ( ! current_user_can( 'edit_post', $product_id ) && $post->post_status !== 'publish' ) {
wp_send_json_error( __( 'Product not found or not accessible', 'essential-addons-for-elementor-lite' ) );
}
setup_postdata( $post );
```
**Explanation:**
The original code was vulnerable to unauthorized access. It retrieved a product and post without verifying:
1. Whether the product actually exists
2. Whether the product is visible to the current user
3. Whether non-admin users were attempting to access unpublished posts
The fix adds critical authorization checks:
- Verifies the product object exists and is marked as visible
- For non-admin users, ensures the post status is 'publish' before allowing access
- Returns a proper error response if access is denied
This prevents unauthorized disclosure of draft, pending, or private products.
---
## Vulnerability 2
**Vulnerability Existed:** not sure
**Potential Insecure Direct Object Reference (IDOR) / Broken Access Control - CWE-639** - includes/Traits/Ajax_Handler.php [Lines 623-624]
**Old Code:**
```php
$args['post_status'] = array_intersect( (array) $settings['eael_product_grid_products_status'], [ 'publish', 'draft', 'pending', 'future' ] );
```
**Fixed Code:**
```php
// Set product status from settings (handle both Product_Grid and Woo_Product_List)
if ( ! empty( $settings['eael_product_grid_products_status'] ) ) {
$wc_args['status'] = array_intersect( (array) $settings['eael_product_grid_products_status'], [ 'publish', 'draft', 'pending', 'future' ] );
} elseif ( ! empty( $settings['eael_product_list_products_status'] ) ) {
$wc_args['status'] = array_intersect( (array) $settings['eael_product_list_products_status'], [ 'publish', 'draft', 'pending', 'future' ] );
}
```
**Explanation:**
The fix moves product status filtering into a dedicated helper function and adds null/empty checks. However, the underlying security concern is ambiguous:
- If `$settings` comes from user-controlled input without proper validation, allowing arbitrary status values could expose unpublished products
- The fix uses `array_intersect()` to whitelist allowed statuses, which provides some protection
- Uncertain whether `$settings` is properly sanitized upstream or if this fully mitigates the risk without seeing how settings are populated
The change appears defensive but the complete picture of data flow validation is not visible in this diff.
CVE Analysis Results:
CVE-2026-1004: Yes
View CVE Description
The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted.
Showing 1 to 2 of 2 results