Skip to main content

WordPress CVE-2026-4326

| EUVD-2026-20825 HIGH
Missing Authorization (CWE-862)
2026-04-09 Wordfence
WordPress Authentication Bypass Elementor
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 18:07 vuln.today
cvss_changed
EUVD ID Assigned
Apr 09, 2026 - 02:15 euvd
EUVD-2026-20825
Analysis Generated
Apr 09, 2026 - 02:15 vuln.today
CVE Published
Apr 09, 2026 - 01:25 nvd
HIGH 8.8

DescriptionCVE.org

The Vertex Addons for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. This is due to improper authorization enforcement in the activate_required_plugins() function. Specifically, the current_user_can('install_plugins') capability check does not terminate execution when it fails - it only sets an error message variable while allowing the plugin installation and activation code to execute. The error response is only sent after the installation and activation have already completed. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins from the WordPress.

AnalysisAI

Missing authorization bypass in Vertex Addons for Elementor (WordPress plugin, all versions ≤1.6.4) allows authenticated attackers with Subscriber-level privileges to install and activate arbitrary WordPress plugins. The activate_required_plugins() function checks current_user_can('install_plugins') capability but fails to halt execution on denial, permitting installation/activation to proceed before error response is sent. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticated attacker accesses plugin
Delivery
Send request to activate_required_plugins function
Exploit
Bypass capability check logic flaw
Execution
Install and activate arbitrary plugins
Impact
Execute malicious plugin code
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Authenticated WordPress user account required (any role). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 8.8 reflects high severity due to unauthenticated privilege escalation enabling arbitrary plugin installation on WordPress sites. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario Attacker with Subscriber account (lowest privilege tier) calls activate_required_plugins() AJAX endpoint. Authorization check fails but execution continues; arbitrary plugin installs and activates before error response. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit installed version of Vertex Addons for Elementor across all WordPress instances and document current version. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-8157 HIGH POC
8.8 Jun 22

The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new u
CVE-2026-8089 HIGH POC
7.1 Jun 17

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin

CVE-2026-9570 HIGH POC
7.1 Jun 17

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline

CVE-2026-4259 HIGH POC
7.1 Jun 22

The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outp
CVE-2026-6858 HIGH POC
7.1 Jun 22

The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthen

Share

CVE-2026-4326 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy