Skip to main content

Easy Elements for Elementor CVE-2026-9018

| EUVDEUVD-2026-31410 HIGH
Improper Privilege Management (CWE-269)
2026-05-22 Wordfence GHSA-jvg6-x4cw-2wj7
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 22, 2026 - 05:16 vuln.today

DescriptionCVE.org

The Easy Elements for Elementor - Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.5 via the easyel_handle_register() function. This is due to the wp_ajax_nopriv_eel_register AJAX handler iterating the attacker-controlled custom_meta POST array and writing every supplied key-value pair to the newly created user's meta via update_user_meta() without any key whitelist or blocklist, allowing the wp_capabilities user meta key to be overwritten after wp_insert_user() has already assigned a safe role. This makes it possible for unauthenticated attackers to register a new account with full administrator-level privileges by supplying custom_meta[wp_capabilities][administrator]=1. Exploitation requires that user registration is enabled on the site and that at least one page exposes the Login/Register widget, which publishes the required easy_elements_nonce into the page DOM where it can be retrieved by any unauthenticated visitor via a simple GET request.

AnalysisAI

Unauthenticated privilege escalation in the Easy Elements for Elementor WordPress plugin through version 1.4.5 allows remote attackers to register administrator accounts by abusing an unchecked custom_meta parameter in the eel_register AJAX handler. The flaw lets attackers overwrite the wp_capabilities user meta after wp_insert_user() has assigned a safe role, granting full site takeover. No public exploit identified at time of analysis, and the CVSS vector's PR:L appears inconsistent with the description's explicit unauthenticated abuse path.

Technical ContextAI

The vulnerability lives in the plugin's Login/Register widget, specifically class.login-register.php in the easyel_handle_register() function bound to the wp_ajax_nopriv_eel_register hook (which by WordPress design accepts requests from unauthenticated users). After wp_insert_user() correctly assigns a default role, the handler iterates the attacker-controlled custom_meta POST array and calls update_user_meta() for every key/value pair with no allowlist or denylist. Because WordPress stores role assignments in the wp_capabilities user meta key, an attacker can overwrite the role post-creation. This maps to CWE-269 (Improper Privilege Management). The affected CPE is cpe:2.3:a:themewant:easy_elements_for_elementor_-_addons_&_website_templates and the relevant source lines are referenced in plugins.trac.wordpress.org at lines 65 and 128 of class.login-register.php; the easy_elements_nonce required to call the handler is published into the page DOM by Enqueue.php line 200.

RemediationAI

No vendor-released patch identified at time of analysis - the available references point only to the vulnerable 1.4.5 source code on plugins.trac.wordpress.org, not to a fixed tag. Administrators should immediately deactivate and remove the Easy Elements for Elementor plugin until ThemeWant publishes a patched release; monitor https://www.wordfence.com/threat-intel/vulnerabilities/id/f1de4899-532a-4558-bff0-f4610bfdd49d for fix availability. If removal is not feasible, compensating controls include disabling WordPress user registration via Settings → General → Membership (this removes the exploit's precondition but breaks legitimate self-service signup), removing any page that embeds the plugin's Login/Register widget so the easy_elements_nonce is no longer published in the DOM, and adding a WAF rule that blocks POST requests to admin-ajax.php with action=eel_register containing custom_meta[wp_capabilities] (this may produce false positives for legitimate meta fields if the developer later legitimately uses custom_meta).

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-9018 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy