Skip to main content

Elementor Website Builder CVE-2026-49782

| EUVDEUVD-2026-33933 MEDIUM
Missing Authorization (CWE-862)
2026-06-02 audit@patchstack.com GHSA-j56r-2c4g-4gw4
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 02, 2026 - 14:36 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Elementor Elementor Website Builder allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Elementor Website Builder: from n/a through 4.1.0.

AnalysisAI

Missing authorization controls in the Elementor Website Builder WordPress plugin through version 4.1.0 allow low-privilege authenticated users to exploit incorrectly configured access control levels, resulting in limited unauthorized read and write access to restricted plugin functionality. The flaw (CWE-862) means the plugin fails to validate whether the authenticated requestor holds sufficient WordPress capabilities before granting access to protected operations. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, though the low attack complexity makes this straightforward to exploit once a valid account is obtained.

Technical ContextAI

Elementor Website Builder is one of the most widely deployed WordPress page-builder plugins, present on millions of installations globally. The root cause is CWE-862 (Missing Authorization): specific plugin endpoints or AJAX actions perform no capability checks against the WordPress permissions model before executing, meaning the plugin trusts that any authenticated request is authorized. The CVSS vector AV:N/AC:L/PR:L/UI:N confirms remote network exploitation with low complexity, requiring only a low-privilege WordPress account (e.g., subscriber or contributor role) and no user interaction. The affected scope covers all plugin deployments at or below version 4.1.0. No CPE string was included in the provided intelligence, but the Patchstack advisory identifies the plugin slug as 'elementor' in the WordPress repository.

RemediationAI

The primary remediation is to update the Elementor Website Builder plugin to a version above 4.1.0; however, no specific patched release version was confirmed in the provided intelligence data - verify the exact fix version via the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/elementor/vulnerability/wordpress-elementor-website-builder-plugin-4-1-0-broken-access-control-vulnerability?_s_id=cve or the official Elementor changelog on WordPress.org before deploying. As an immediate compensating control, disable WordPress user registration if it is not operationally required, which eliminates the low-privilege account prerequisite entirely with no functional side effects for invite-only sites. For sites that require open registration, audit and restrict user roles so that untrusted accounts hold only the minimum necessary role. A WordPress-aware WAF such as Patchstack Shield or Wordfence with virtual patching rules can block exploitation attempts at the network layer as a temporary bridge control, though these introduce a dependency on rule update latency.

Share

CVE-2026-49782 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy