Description
Unauthenticated Broken Authentication in PowerPack Pro for Elementor < v2.13.0 versions.
Published: 2026-06-17
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated Broken Authentication flaw in the PowerPack Pro for Elementor WordPress plugin allows a remote actor to bypass normal login procedures and gain privileged access to the WordPress site. The vulnerability is classified as CWE‑288, meaning that authentication controls are insufficient or incorrectly implemented. Once accessed, an attacker could edit or delete content, install additional malicious plugins, or otherwise take complete control of the site, affecting confidentiality, integrity, and availability of the hosted information.

Affected Systems

The defect is present in all installations of PowerPack Pro for Elementor plugin version numbers lower than 2.13.0 released by Powerpackelements. No specific operating system, WordPress core version, or server environment restrictions are listed, so any WordPress site that has a vulnerable plugin version is at risk.

Risk and Exploitability

The CVSS base score of 8.8 reflects a high severity vulnerability. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, which suggests no documented exploits yet. However, because the flaw allows unauthenticated access and is reachable through the web interface, the likely attack vector is remote via HTTP or HTTPS. This combination of high impact potential and ease of exploitation makes the vulnerability a top priority for site owners.

Generated by OpenCVE AI on June 18, 2026 at 14:03 UTC.

Remediation

Vendor Solution

Update the WordPress PowerPack Pro for Elementor Plugin to the latest available version (at least 2.13.0).


OpenCVE Recommended Actions

  • Update the PowerPack Pro for Elementor plugin to version 2.13.0 or later.
  • If an immediate update cannot be performed, temporarily deactivate the plugin or restrict access to the WordPress admin area until the update is applied.
  • Monitor authentication and access logs for repeated unauthorized attempts and block offending IP addresses.

Generated by OpenCVE AI on June 18, 2026 at 14:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Powerpackelements
Powerpackelements powerpack Addons For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Powerpackelements
Powerpackelements powerpack Addons For Elementor
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Broken Authentication in PowerPack Pro for Elementor < v2.13.0 versions.
Title WordPress PowerPack Pro for Elementor plugin < v2.13.0 - Broken Authentication vulnerability
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


Subscriptions

Powerpackelements Powerpack Addons For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:29:48.105Z

Reserved: 2026-04-29T07:06:45.121Z

Link: CVE-2026-42629

cve-icon Vulnrichment

Updated: 2026-06-17T15:29:41.289Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:30:05Z

Weaknesses
  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel