Description
Unauthenticated Broken Access Control in Essential Addons for Elementor < 6.6.0 versions.
Published: 2026-06-15
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated Broken Access Control in the WordPress Essential Addons for Elementor plugin allows an attacker to perform privileged actions normally reserved for authenticated administrators. The vulnerability arises from insufficient checks on user permissions when accessing certain plugin functionalities, enabling a user with no credentials to manipulate settings or data that should be restricted.

Affected Systems

Vendors: WPDeveloper. Product: Essential Addons for Elementor. Versions prior to 6.6.0 are affected. Any WordPress site running an older plugin version is at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. An EPSS score of < 1% suggests the current likelihood of exploitation is very low, and the vulnerability is not listed in CISA KEV. Nonetheless, exploitation is theoretically possible via crafted requests or URLs, and an attacker could gain unauthorized administrative capabilities if the site remains on a vulnerable plugin version.

Generated by OpenCVE AI on June 16, 2026 at 21:53 UTC.

Remediation

Vendor Solution

Update the WordPress Essential Addons for Elementor Plugin to the latest available version (at least 6.6.0).

OpenCVE Recommended Actions

  • Update the Essential Addons for Elementor plugin to version 6.6.0 or later.
  • If a timely update is not possible, disable or remove the plugin from the site to eliminate the attack surface.
  • Configure role‑based access controls or a web application firewall to block unauthenticated users from accessing the plugin’s administrative endpoints.

Generated by OpenCVE AI on June 16, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdeveloper
Wpdeveloper essential Addons For Elementor
Vendors & Products Wordpress
Wordpress wordpress
Wpdeveloper
Wpdeveloper essential Addons For Elementor

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Broken Access Control in Essential Addons for Elementor < 6.6.0 versions.
Title WordPress Essential Addons for Elementor plugin < 6.6.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpdeveloper Essential Addons For Elementor
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T14:54:00.518Z

Reserved: 2026-02-02T12:53:40.964Z

Link: CVE-2026-25440

cve-icon Vulnrichment

Updated: 2026-06-16T14:53:54.546Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:40.410

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-25440

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T22:00:13Z

Weaknesses