Skip to main content

Essential Addons for Elementor CVE-2026-15155

| EUVDEUVD-2026-43160 HIGH
Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
2026-07-11 Wordfence GHSA-3pm3-fg5f-vgvx
8.8
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable with low complexity and no user interaction, but a Contributor-level account is required (PR:L); admin takeover yields full C/I/A impact with unchanged scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 06:53 vuln.today
CVE Published
Jul 11, 2026 - 05:35 cve.org
HIGH 8.8

DescriptionCVE.org

The Essential Addons for Elementor - Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and including, 6.6.10 This is due to insufficient server-side validation of a Login/Register widget setting used to construct outgoing email headers - the allowed-values restriction is enforced only in the client-side editor UI and not on the server, and the applied sanitization does not strip or encode CR/LF characters, allowing CRLF sequences stored in that setting to survive into raw mail headers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject an additional Bcc header into the WordPress administrator's password-reset notification email, receive a copy of a valid administrator password-reset link, and achieve full administrator account takeover.

AnalysisAI

Authenticated account takeover in the Essential Addons for Elementor WordPress plugin (versions ≤ 6.6.10) lets a Contributor-or-above user inject a Bcc header into WordPress's administrator password-reset email via the plugin's Login/Register widget, capturing a valid admin reset link and seizing the site. The flaw stems from an email-header (CRLF) injection where the allowed-values check is enforced only in the browser editor, not server-side. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as Contributor-level user
Delivery
Inject CRLF Bcc header into widget setting
Exploit
Trigger admin password-reset email
Execution
Receive copied reset link via Bcc
Persist
Set new administrator password
Impact
Full site takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated account at Contributor level or above on the target WordPress site, and the site must have the plugin's Login/Register widget deployed such that the vulnerable email-header setting is reachable and used to build outgoing mail. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8) is internally consistent with the description: network-reachable, low complexity, requires only low privileges (Contributor), no user interaction, and yields full confidentiality/integrity/availability impact via administrator takeover. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds (or registers/obtains) a Contributor account edits or supplies the Login/Register widget's email-header-related setting, embedding CRLF sequences that append a Bcc header pointing to their own mailbox. They then trigger the WordPress administrator's password-reset notification so the reset email is silently copied to them, follow the valid reset link, set a new admin password, and take over the site. …
Remediation Vendor-released patch: 6.6.11 - upgrade Essential Addons for Elementor to 6.6.11 or later, confirmed by the WordPress.org changeset diffing tag 6.6.10 against 6.6.11 (https://plugins.trac.wordpress.org/changeset?old_path=%2Fessential-addons-for-elementor-lite/tags/6.6.10&new_path=%2Fessential-addons-for-elementor-lite/tags/6.6.11 and the server-side fix in changeset 3601504 to includes/Traits/Login_Registration.php). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress instances running Essential Addons for Elementor and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15155 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy