Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in ADD-ONS.ORG PDF for Elementor Forms + Drag And Drop Template Builder allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through 5.5.1.
AnalysisAI
Missing authorization in PDF for Elementor Forms + Drag And Drop Template Builder (WordPress plugin by ADD-ONS.ORG) allows an authenticated low-privilege user to exploit incorrectly configured access control security levels, resulting in unauthorized integrity modifications with changed scope. All plugin versions through 5.5.1 are affected. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, placing this in a monitor-and-patch priority tier rather than emergency response.
Technical ContextAI
CWE-862 (Missing Authorization) describes a failure to perform an authorization check where one is required before granting access to a resource or action. In the context of WordPress plugins, this typically manifests as REST API endpoints, AJAX handlers, or admin-side functionality that verify authentication (nonce/logged-in status) but omit capability checks - meaning any authenticated user can invoke privileged operations regardless of their role. The affected product, identified by CPE cpe:2.3:a:add-ons.org:pdf_for_elementor_forms_+_drag_and_drop_template_builder through version 5.5.1, is a plugin that provides PDF generation from Elementor form submissions along with a drag-and-drop template builder. The CVSS vector includes S:C (Scope Changed), indicating the authorization bypass can affect resources or components outside the plugin's own security scope - for example, writing to or modifying data owned by other WordPress components or users.
RemediationAI
Update the PDF for Elementor Forms + Drag And Drop Template Builder plugin to the version released after 5.5.1 that addresses this authorization flaw; the exact fixed version should be confirmed via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/pdf-for-elementor-forms/vulnerability/wordpress-pdf-for-elementor-forms-drag-and-drop-template-builder-plugin-5-5-1-broken-access-control-vulnerability?_s_id=cve) and the WordPress plugin repository changelog. An exact patched version number is not confirmed in the available input data. If immediate patching is not possible, a compensating control is to restrict the WordPress site to trusted authenticated users only - disable open user registration and audit existing low-privilege accounts, since exploitation requires PR:L. Alternatively, a Web Application Firewall rule scoped to the plugin's AJAX or REST endpoints can block unauthorized capability calls, though this may interfere with legitimate plugin functionality and should be tested before production deployment.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31096
GHSA-hx33-9q48-6r26