Skip to main content

PDF for Elementor Forms EUVDEUVD-2026-31096

| CVE-2026-45443 MEDIUM
Missing Authorization (CWE-862)
2026-05-20 Patchstack GHSA-hx33-9q48-6r26
5.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.0 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 13:35 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in ADD-ONS.ORG PDF for Elementor Forms + Drag And Drop Template Builder allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through 5.5.1.

AnalysisAI

Missing authorization in PDF for Elementor Forms + Drag And Drop Template Builder (WordPress plugin by ADD-ONS.ORG) allows an authenticated low-privilege user to exploit incorrectly configured access control security levels, resulting in unauthorized integrity modifications with changed scope. All plugin versions through 5.5.1 are affected. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, placing this in a monitor-and-patch priority tier rather than emergency response.

Technical ContextAI

CWE-862 (Missing Authorization) describes a failure to perform an authorization check where one is required before granting access to a resource or action. In the context of WordPress plugins, this typically manifests as REST API endpoints, AJAX handlers, or admin-side functionality that verify authentication (nonce/logged-in status) but omit capability checks - meaning any authenticated user can invoke privileged operations regardless of their role. The affected product, identified by CPE cpe:2.3:a:add-ons.org:pdf_for_elementor_forms_+_drag_and_drop_template_builder through version 5.5.1, is a plugin that provides PDF generation from Elementor form submissions along with a drag-and-drop template builder. The CVSS vector includes S:C (Scope Changed), indicating the authorization bypass can affect resources or components outside the plugin's own security scope - for example, writing to or modifying data owned by other WordPress components or users.

RemediationAI

Update the PDF for Elementor Forms + Drag And Drop Template Builder plugin to the version released after 5.5.1 that addresses this authorization flaw; the exact fixed version should be confirmed via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/pdf-for-elementor-forms/vulnerability/wordpress-pdf-for-elementor-forms-drag-and-drop-template-builder-plugin-5-5-1-broken-access-control-vulnerability?_s_id=cve) and the WordPress plugin repository changelog. An exact patched version number is not confirmed in the available input data. If immediate patching is not possible, a compensating control is to restrict the WordPress site to trusted authenticated users only - disable open user registration and audit existing low-privilege accounts, since exploitation requires PR:L. Alternatively, a Web Application Firewall rule scoped to the plugin's AJAX or REST endpoints can block unauthorized capability calls, though this may interfere with legitimate plugin functionality and should be tested before production deployment.

Share

EUVD-2026-31096 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy