Description
The Vertex Addons for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. This is due to improper authorization enforcement in the activate_required_plugins() function. Specifically, the current_user_can('install_plugins') capability check does not terminate execution when it fails — it only sets an error message variable while allowing the plugin installation and activation code to execute. The error response is only sent after the installation and activation have already completed. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins from the WordPress.
Published: 2026-04-09
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: Unauthorized arbitrary plugin installation and activation by authenticated users, enabling potential remote code execution
Action: Immediate Patch
AI Analysis

Impact

A flaw in Vertex Addons for Elementor up to version 1.6.4 allows any authenticated user with a Subscriber role or higher to install and activate arbitrary WordPress plugins through the activate_required_plugins function. The function performs a capability check that does not terminate the operation when the check fails, which leads to plugin installation and activation even for unauthorized users. This design flaw permits the introduction of malicious plugins that can execute arbitrary code, compromising confidentiality, integrity, and availability of the WordPress site.

Affected Systems

WordPress installations that have the Vertex Addons for Elementor plugin from the vendor Webilia, specifically all releases version 1.6.4 and earlier. Site administrators should verify that the plugin is not running the vulnerable code and review any unexpected plugin additions.

Risk and Exploitability

The vulnerability has a CVSS base score of 8.8, indicating high severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, but it can be exploited by any authenticated user who can reach the plugin’s AJAX endpoint. Based on the description, the attacker can submit crafted HTTP requests to the afeb_activate_required_plugins action to trigger arbitrary plugin installation and activation, leading to potential remote code execution.

Generated by OpenCVE AI on April 9, 2026 at 03:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vertex Addons for Elementor to the latest version that contains the fix.
  • Verify that the activate_required_plugins function now correctly exits when current_user_can('install_plugins') fails; if not, patch the code manually to enforce the capability check.
  • Restrict the install_plugins capability to administrators only by reviewing user role settings and ensuring Subscribers cannot install or activate plugins.
  • If an immediate update is not possible, temporarily disable the plugin’s AJAX endpoint or remove the afeb_activate_required_plugins action to block exploitation.
  • Monitor the site for unexpected plugin installations and review installed plugins for malicious code.

Generated by OpenCVE AI on April 9, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Webilia
Webilia vertex Addons For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Webilia
Webilia vertex Addons For Elementor
Wordpress
Wordpress wordpress

Thu, 09 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Vertex Addons for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. This is due to improper authorization enforcement in the activate_required_plugins() function. Specifically, the current_user_can('install_plugins') capability check does not terminate execution when it fails — it only sets an error message variable while allowing the plugin installation and activation code to execute. The error response is only sent after the installation and activation have already completed. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins from the WordPress.
Title Vertex Addons for Elementor <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation via 'afeb_activate_required_plugins'
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Webilia Vertex Addons For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-09T01:25:55.660Z

Reserved: 2026-03-17T13:09:41.727Z

Link: CVE-2026-4326

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T02:16:16.530

Modified: 2026-04-09T02:16:16.530

Link: CVE-2026-4326

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:25:19Z

Weaknesses