What is the CVSS score of CVE-2026-42629?

CVE-2026-42629 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.3%.

Which versions of PowerPack Pro for Elementor are affected by CVE-2026-42629?

PowerPack Pro for Elementor WordPress plugin (versions prior to 2.13.0) contains an authentication vulnerability allowing unauthorized access to website administrator functions, with no public…

How to fix or mitigate CVE-2026-42629?

Within 24 hours: Inventory all WordPress installations running PowerPack Pro and identify those with versions prior to 2.13.0. Within 7 days: Upgrade all affected installations to PowerPack Pro version 2.13.0 or later and verify authentication controls are functioning. Within 30 days: Audit access logs and administrator accounts for unauthorized activity during the vulnerable period and strengthen access monitoring controls.

PowerPack Pro for Elementor CVE-2026-42629

EUVD-2026-37609 HIGH

Authentication Bypass Using an Alternate Path or Channel (CWE-288)

2026-06-17 Patchstack

Information Disclosure Powerpack Pro For Elementor Elementor

8.8

CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY

8.8 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

vuln.today AI

8.8 HIGH

Network-reachable WordPress endpoint, no attacker auth (PR:N), but victim must visit a crafted link (UI:R); auth bypass yields full CIA impact on the site.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 17, 2026 - 12:09 vuln.today

DescriptionCVE.org

Unauthenticated Broken Authentication in PowerPack Pro for Elementor < v2.13.0 versions.

AnalysisAI

Authentication bypass in the PowerPack Pro for Elementor WordPress plugin (versions prior to 2.13.0) allows remote attackers to subvert authentication controls and gain unauthorized access with high impact to confidentiality, integrity, and availability. The flaw, reported by Patchstack and tracked as CVE-2026-42629, is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and requires user interaction per the CVSS vector. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify WordPress site running PowerPack Pro < 2.13.0

Delivery

Craft malicious link targeting vulnerable endpoint

Exploit

Lure admin or user to click (UI:R)

Execution

Bypass authentication via alternate path

Persist

Execute privileged action in victim context

Impact

Modify site content or create admin account

Access

Identify WordPress site running PowerPack Pro < 2.13.0

Delivery

Craft malicious link targeting vulnerable endpoint

Exploit

Lure admin or user to click (UI:R)

Execution

Bypass authentication via alternate path

Persist

Execute privileged action in victim context

Impact

Modify site content or create admin account

Vulnerability AssessmentAI

Exploitation	Requires a target WordPress site running PowerPack Pro for Elementor at any version below 2.13.0 with the vulnerable module/endpoint reachable over the network (default plugin install exposes it). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) reflects network-reachable, low-complexity, unauthenticated exploitation with high impact across the CIA triad, tempered only by a UI:R requirement (e.g., an admin or visitor visiting a crafted link/page). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker crafts a malicious URL or web page targeting the vulnerable PowerPack endpoint and lures a site visitor or administrator into loading it (UI:R), at which point the plugin's broken authentication path is invoked without proper credential validation, allowing the attacker to perform privileged actions in the victim's session context. Successful exploitation could lead to administrative content modification, malicious plugin/user creation, or data exfiltration from the WordPress site. …
Remediation	Upgrade PowerPack Pro for Elementor to version 2.13.0 or later via the WordPress plugin updater or the PowerPack Elements customer portal as the primary fix, referencing the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/powerpack-elements/vulnerability/wordpress-powerpack-pro-for-elementor-plugin-v2-13-0-broken-authentication-vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations running PowerPack Pro and identify those with versions prior to 2.13.0. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-42629 vulnerability details – vuln.today

Back

PowerPack Pro for Elementor CVE-2026-42629

Severity by source

CVSS VectorVendor: Patchstack

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code