Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable with low complexity and no user interaction, but a Contributor-level account is required (PR:L); admin takeover yields full C/I/A impact with unchanged scope.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The Essential Addons for Elementor - Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and including, 6.6.10 This is due to insufficient server-side validation of a Login/Register widget setting used to construct outgoing email headers - the allowed-values restriction is enforced only in the client-side editor UI and not on the server, and the applied sanitization does not strip or encode CR/LF characters, allowing CRLF sequences stored in that setting to survive into raw mail headers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject an additional Bcc header into the WordPress administrator's password-reset notification email, receive a copy of a valid administrator password-reset link, and achieve full administrator account takeover.
Articles & Coverage 1
AnalysisAI
Authenticated account takeover in the Essential Addons for Elementor WordPress plugin (versions ≤ 6.6.10) lets a Contributor-or-above user inject a Bcc header into WordPress's administrator password-reset email via the plugin's Login/Register widget, capturing a valid admin reset link and seizing the site. The flaw stems from an email-header (CRLF) injection where the allowed-values check is enforced only in the browser editor, not server-side. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated account at Contributor level or above on the target WordPress site, and the site must have the plugin's Login/Register widget deployed such that the vulnerable email-header setting is reachable and used to build outgoing mail. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8) is internally consistent with the description: network-reachable, low complexity, requires only low privileges (Contributor), no user interaction, and yields full confidentiality/integrity/availability impact via administrator takeover. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds (or registers/obtains) a Contributor account edits or supplies the Login/Register widget's email-header-related setting, embedding CRLF sequences that append a Bcc header pointing to their own mailbox. They then trigger the WordPress administrator's password-reset notification so the reset email is silently copied to them, follow the valid reset link, set a new admin password, and take over the site. … |
| Remediation | Vendor-released patch: 6.6.11 - upgrade Essential Addons for Elementor to 6.6.11 or later, confirmed by the WordPress.org changeset diffing tag 6.6.10 against 6.6.11 (https://plugins.trac.wordpress.org/changeset?old_path=%2Fessential-addons-for-elementor-lite/tags/6.6.10&new_path=%2Fessential-addons-for-elementor-lite/tags/6.6.11 and the server-side fix in changeset 3601504 to includes/Traits/Login_Registration.php). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all WordPress instances running Essential Addons for Elementor and document current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Privilege escalation in Essential Addons for Elementor (all versions ≤ 6.5.13) allows authenticated WordPress users with
Stored Cross-Site Scripting in Essential Addons for Elementor (versions up to and including 6.6.2) allows authenticated
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43160
GHSA-3pm3-fg5f-vgvx