Description
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.5.13. This is due to insufficient role validation in the 'register_user' function, which only blocks the 'administrator' role. This makes it possible for authenticated attackers, with author level access and above, to create new user accounts with elevated privileges such as editor.
Published: 2026-05-14
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin contains a register_user function that only blocks the administrator role when creating new accounts. Because the code does not verify the caller’s role beyond that, a user who has author or higher access can use the function to create new accounts that are granted editor privileges. The resulting elevation of privilege allows the attacker to perform editor‑level actions, such as editing posts and publishing content, thus potentially compromising the confidentiality, integrity, and availability of the WordPress site.

Affected Systems

All releases of the Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin up to and including version 6.5.13 installed on a WordPress site are affected.

Risk and Exploitability

The flaw is exploitable only by users who already possess authenticated author or higher roles, which means the attack vector is internal and requires legitimate credentials. The vulnerability’s CVSS score of 6.5 indicates moderate severity, and its EPSS score is not reported, indicating no current exploitation data. The issue is not listed in the CISA KEV catalog. Consequently, the primary risk is that any existing author or editor account can abuse the register_user function to elevate privileges to editor level, enabling further malicious activity on the site.

Generated by OpenCVE AI on May 14, 2026 at 08:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin to the latest available version (or apply vendor patch if released).
  • If an upgrade is not immediately possible, disable new user registration via the register_user function or restrict permissions to prevent non‑administrator accounts from creating new users.
  • Audit the user database for newly created editor accounts that may have been unauthorized, and remove or downgrade them.

Generated by OpenCVE AI on May 14, 2026 at 08:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdevteam
Wpdevteam essential Addons For Elementor – Popular Elementor Templates & Widgets
Vendors & Products Wordpress
Wordpress wordpress
Wpdevteam
Wpdevteam essential Addons For Elementor – Popular Elementor Templates & Widgets

Thu, 14 May 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.5.13. This is due to insufficient role validation in the 'register_user' function, which only blocks the 'administrator' role. This makes it possible for authenticated attackers, with author level access and above, to create new user accounts with elevated privileges such as editor.
Title Essential Addons for Elementor – Popular Elementor Templates & Widgets <= 6.5.13 - Authenticated (Author+) Limited Privilege Escalation via register_user
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Wordpress Wordpress
Wpdevteam Essential Addons For Elementor – Popular Elementor Templates & Widgets
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-14T10:45:23.691Z

Reserved: 2026-03-30T21:18:50.734Z

Link: CVE-2026-5193

cve-icon Vulnrichment

Updated: 2026-05-14T10:45:19.161Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T07:16:19.977

Modified: 2026-05-14T14:28:41.283

Link: CVE-2026-5193

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T10:00:12Z

Weaknesses
  • CWE-269

    Improper Privilege Management