CVE-2026-24386
WordPress Element Invader – Template Kits for Elementor plugin <= 1.2.4 - Broken Access Control vulnerabilityMissing Authorization vulnerability in Element Invader Element Invader – Template Kits for Elementor elementinvader allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Element Invader – Template Kits for Elementor: from n/a through <= 1.2.4.
We have discovered 324 live websites that are affected by CVE-2026-24386.
Affected Software
| Product |  Elementinvader |
| Category | Wordpress Plugins |
| Vulnerable Domains | 324 live websites (100% of Elementinvader install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 7 versions ( 100% of all versions) |
Details
- Published - Jan 22, 2026
- Updated - Jan 22, 2026
Credits
- Nabil Irawan | Patchstack Bug Bounty Program (finder)
CVE References
Website Distribution by Country
Number of websites using CVE-2026-24386 United States | 101 websites |
 Germany | 44 websites |
 Italy | 26 websites |
 Brazil | 13 websites |
 Canada | 12 websites |
 Cyprus | 10 websites |
 France | 9 websites |
 Poland | 8 websites |
 Netherlands | 8 websites |
 Australia | 6 websites |
Website Distribution by TLD
Number of websites using CVE-2026-24386| .com | 154 websites |
| .it | 17 websites |
| .org | 17 websites |
| .de | 16 websites |
| .com.br | 13 websites |
| .at | 12 websites |
| .net | 8 websites |
| .nl | 6 websites |
| .pl | 6 websites |
| .com.au | 5 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-24386
Top websites that are affected by CVE-2026-24386. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***********.com | United States | **,*** | |
| **********.com | United States | ***,*** | |
| *********.com | United States | *,***,*** | |
| *******.at | Germany | *,***,*** | |
| ************.de | Germany | *,***,*** | |
| ************************.com | Germany | *,***,*** | |
| ******.***.au | Australia | *,***,*** | |
| ********.***.sg | United States | *,***,*** | |
| *************.org | United States | *,***,*** | |
| *************.com | United States | *,***,*** |
FAQ
A total of 324 websites have been identified as vulnerable to CVE-2026-24386, based on global website indexing conducted by WebTechSurvey.
The Elementinvader is affected by the CVE-2026-24386 vulnerability.
Elementinvader versions up to and including 1.2.4 are vulnerable to CVE-2026-24386.