Description
Unauthenticated Privilege Escalation in Easy Elements for Elementor &#8211; Addons &amp; Website Templates <= 1.4.9 versions.
Published: 2026-06-26
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an unauthenticated attacker to gain administrator privileges within a WordPress site. This missing access control flaw (CWE‑266) could enable the attacker to alter content, install additional malware, or exfiltrate sensitive data. No credentials are required for exploitation.

Affected Systems

The Easy Elements for Elementor – Addons & Website Templates plugin versions 1.4.9 and earlier, distributed by themewant, are affected. All WordPress sites that have installed a vulnerable version of this plugin are at risk; no other WordPress core or third‑party components are directly impacted.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, while the EPSS score is not available but the lack of exploitation data suggests the opportunity may not yet be widely abused. The vulnerability is not listed in the CISA KEV catalog, yet its high score and unauthenticated nature make it a top priority. A likely attack vector would be a direct HTTP request to the vulnerable plugin endpoint from any external IP address, requiring no prior authentication.

Generated by OpenCVE AI on June 26, 2026 at 16:43 UTC.

Remediation

Vendor Solution

Update the WordPress Easy Elements for Elementor &#8211; Addons &amp; Website Templates Plugin to the latest available version (at least 1.5.0).

OpenCVE Recommended Actions

  • Upgrade Easy Elements for Elementor – Addons & Website Templates plugin to version 1.5.0 or later.
  • If an upgrade cannot be performed immediately, disable or uninstall the plugin to prevent exploitation until a fixed version is available.
  • Deploy monitoring or WAF rules that detect privilege escalation or unauthorized post creation to alert administrators of potential exploitation.

Generated by OpenCVE AI on June 26, 2026 at 16:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Privilege Escalation in Easy Elements for Elementor &#8211; Addons &amp; Website Templates <= 1.4.9 versions.
Title WordPress Easy Elements for Elementor – Addons & Website Templates plugin <= 1.4.9 - Privilege Escalation vulnerability
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T14:52:32.977Z

Reserved: 2026-06-18T14:37:29.429Z

Link: CVE-2026-56028

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T16:45:03Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment