Description
Unauthenticated Broken Access Control in Essential Addons for Elementor < 6.6.0 versions.
Published: 2026-06-15
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated Broken Access Control flaw in Essential Addons for Elementor, identified as CWE-862. Based on the description, it is inferred that an attacker without valid credentials could use crafted requests or URLs to reach plugin management endpoints that normally require administrative privileges. This could allow the attacker to view, modify, or delete plugin settings and content that should be restricted to authorized administrators.

Affected Systems

The affected product is WPDeveloper's Essential Addons for Elementor plugin. Versions earlier than 6.6.0 are vulnerable. Any WordPress site that has installed an older plugin version is potentially at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity level. An EPSS score of < 1% suggests that the probability of exploitation is very low, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, exploitation is theoretically straightforward via unauthenticated crafted requests, giving an attacker unauthorized administrative capabilities if the site remains on a vulnerable plugin version.

Generated by OpenCVE AI on June 18, 2026 at 03:29 UTC.

Remediation

Vendor Solution

Update the WordPress Essential Addons for Elementor Plugin to the latest available version (at least 6.6.0).


OpenCVE Recommended Actions

  • Update the Essential Addons for Elementor plugin to version 6.6.0 or later.
  • If an update is not feasible, deactivate or uninstall the plugin from the WordPress installation to eliminate the exposed control surface.
  • Deploy a web application firewall or configure access rules to block unauthenticated requests to the plugin’s administration endpoints.

Generated by OpenCVE AI on June 18, 2026 at 03:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdeveloper
Wpdeveloper essential Addons For Elementor
Vendors & Products Wordpress
Wordpress wordpress
Wpdeveloper
Wpdeveloper essential Addons For Elementor

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Broken Access Control in Essential Addons for Elementor < 6.6.0 versions.
Title WordPress Essential Addons for Elementor plugin < 6.6.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

Wordpress Wordpress
Wpdeveloper Essential Addons For Elementor
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T14:54:00.518Z

Reserved: 2026-02-02T12:53:40.964Z

Link: CVE-2026-25440

cve-icon Vulnrichment

Updated: 2026-06-16T14:53:54.546Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:40.410

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-25440

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T03:30:16Z

Weaknesses