Description
The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.4.4. This is due to the 'easyel_handle_register' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.
Published: 2026-05-20
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Easy Elements for Elementor plugin contains a function that handles user registration without validating the role supplied by the client. An attacker can submit a registration request with the role set to "administrator" and create an admin user without authentication. This allows the attacker to gain full administrative privileges on the WordPress site, thereby compromising confidentiality, integrity, and availability of the entire site and all its data. The weakness is a classic role‑based access control flaw classified as CWE‑269.

Affected Systems

This vulnerability affects the WordPress plugin "Easy Elements for Elementor – Addons & Website Templates" version 1.4.4 and all earlier releases. Any WordPress site installing a vulnerable version of this plugin is at risk.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity. Although no EPSS value is published, the lack of a KEV listing does not reduce the likelihood of exploitation; unauthenticated users can trigger the flaw via the public registration endpoint. Based on the description, the attack vector is remote, unauthenticated, over the web interface. The attacker would need only the ability to access the WordPress site and submit the registration form with a crafted role parameter.

Generated by OpenCVE AI on May 20, 2026 at 03:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Easy Elements for Elementor plugin to the latest version (1.4.5 or newer) where the privilege escalation has been fixed.
  • If an upgrade is not feasible, disable or remove the user registration functionality within the plugin or in WordPress settings, preventing new user creation entirely.
  • Review the user database for any accounts created with the administrator role during the period of vulnerability and reset or delete them, then reset all passwords for administrator accounts.

Generated by OpenCVE AI on May 20, 2026 at 03:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Themewant
Themewant easy Elements For Elementor – Addons & Website Templates
Wordpress
Wordpress wordpress
Vendors & Products Themewant
Themewant easy Elements For Elementor – Addons & Website Templates
Wordpress
Wordpress wordpress

Wed, 20 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.4.4. This is due to the 'easyel_handle_register' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.
Title Easy Elements for Elementor <= 1.4.4 - Unauthenticated Privilege Escalation via easyel_handle_register
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Themewant Easy Elements For Elementor – Addons & Website Templates
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-20T01:25:47.342Z

Reserved: 2026-04-28T08:32:12.353Z

Link: CVE-2026-7284

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-20T02:16:39.083

Modified: 2026-05-20T02:16:39.083

Link: CVE-2026-7284

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:33Z

Weaknesses