Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in Elementor Elementor Website Builder allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Elementor Website Builder: from n/a through 4.1.0.
AnalysisAI
Missing authorization controls in the Elementor Website Builder WordPress plugin through version 4.1.0 allow low-privilege authenticated users to exploit incorrectly configured access control levels, resulting in limited unauthorized read and write access to restricted plugin functionality. The flaw (CWE-862) means the plugin fails to validate whether the authenticated requestor holds sufficient WordPress capabilities before granting access to protected operations. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, though the low attack complexity makes this straightforward to exploit once a valid account is obtained.
Technical ContextAI
Elementor Website Builder is one of the most widely deployed WordPress page-builder plugins, present on millions of installations globally. The root cause is CWE-862 (Missing Authorization): specific plugin endpoints or AJAX actions perform no capability checks against the WordPress permissions model before executing, meaning the plugin trusts that any authenticated request is authorized. The CVSS vector AV:N/AC:L/PR:L/UI:N confirms remote network exploitation with low complexity, requiring only a low-privilege WordPress account (e.g., subscriber or contributor role) and no user interaction. The affected scope covers all plugin deployments at or below version 4.1.0. No CPE string was included in the provided intelligence, but the Patchstack advisory identifies the plugin slug as 'elementor' in the WordPress repository.
RemediationAI
The primary remediation is to update the Elementor Website Builder plugin to a version above 4.1.0; however, no specific patched release version was confirmed in the provided intelligence data - verify the exact fix version via the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/elementor/vulnerability/wordpress-elementor-website-builder-plugin-4-1-0-broken-access-control-vulnerability?_s_id=cve or the official Elementor changelog on WordPress.org before deploying. As an immediate compensating control, disable WordPress user registration if it is not operationally required, which eliminates the low-privilege account prerequisite entirely with no functional side effects for invite-only sites. For sites that require open registration, audit and restrict user roles so that untrusted accounts hold only the minimum necessary role. A WordPress-aware WAF such as Patchstack Shield or Wordfence with virtual patching rules can block exploitation attempts at the network layer as a temporary bridge control, though these introduce a dependency on rule update latency.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33933
GHSA-j56r-2c4g-4gw4