Description
The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.5 via the `easyel_handle_register()` function. This is due to the `wp_ajax_nopriv_eel_register` AJAX handler iterating the attacker-controlled `custom_meta` POST array and writing every supplied key-value pair to the newly created user's meta via `update_user_meta()` without any key whitelist or blocklist, allowing the `wp_capabilities` user meta key to be overwritten after `wp_insert_user()` has already assigned a safe role. This makes it possible for unauthenticated attackers to register a new account with full administrator-level privileges by supplying `custom_meta[wp_capabilities][administrator]=1`. Exploitation requires that user registration is enabled on the site and that at least one page exposes the Login/Register widget, which publishes the required `easy_elements_nonce` into the page DOM where it can be retrieved by any unauthenticated visitor via a simple GET request.
Published: 2026-05-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Easy Elements for Elementor – Addons & Website Templates plugin is subject to an unauthenticated privilege escalation flaw. The wp_ajax_nopriv_eel_register AJAX handler does not whitelist the custom_meta POST array and writes each supplied key-value pair to a newly created user's meta, allowing an attacker to overwrite the wp_capabilities key and assign administrator privileges during registration.

Affected Systems

Any WordPress site running the Easy Elements for Elementor – Addons & Website Templates plugin by themewant with a version up to and including 1.4.5 is affected.

Risk and Exploitability

The flaw carries a CVSS score of 8.8, indicating high severity. Because the EPSS score is unavailable and the vulnerability is not listed in CISA KEV, the likelihood of widespread exploitation is uncertain but could be significant if the conditions are met. Attackers need user registration enabled and a page exposing the Login/Register widget that publishes the easy_elements_nonce. With the nonce in hand, an unauthenticated user can submit a specially crafted POST request to the wp_ajax_nopriv_eel_register endpoint, creating a new account with full administrator privileges.

Generated by OpenCVE AI on May 22, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Easy Elements for Elementor – Addons & Website Templates to the latest version (>=1.4.6) to remove the custom_meta vulnerability.
  • Temporarily disable the Login/Register widget until the plugin is patched to prevent nonce exposure.
  • If the site does not require new user registrations, remove or disable user registration entirely during remediation.

Generated by OpenCVE AI on May 22, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 22 May 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Themewant
Themewant easy Elements For Elementor – Addons & Website Templates
Wordpress
Wordpress wordpress
Vendors & Products Themewant
Themewant easy Elements For Elementor – Addons & Website Templates
Wordpress
Wordpress wordpress

Fri, 22 May 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.5 via the `easyel_handle_register()` function. This is due to the `wp_ajax_nopriv_eel_register` AJAX handler iterating the attacker-controlled `custom_meta` POST array and writing every supplied key-value pair to the newly created user's meta via `update_user_meta()` without any key whitelist or blocklist, allowing the `wp_capabilities` user meta key to be overwritten after `wp_insert_user()` has already assigned a safe role. This makes it possible for unauthenticated attackers to register a new account with full administrator-level privileges by supplying `custom_meta[wp_capabilities][administrator]=1`. Exploitation requires that user registration is enabled on the site and that at least one page exposes the Login/Register widget, which publishes the required `easy_elements_nonce` into the page DOM where it can be retrieved by any unauthenticated visitor via a simple GET request.
Title Easy Elements for Elementor – Addons & Website Templates <= 1.4.5 - Unauthenticated Privilege Escalation via 'custom_meta' Parameter
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Themewant Easy Elements For Elementor – Addons & Website Templates
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-22T12:19:20.970Z

Reserved: 2026-05-19T14:38:27.978Z

Link: CVE-2026-9018

cve-icon Vulnrichment

Updated: 2026-05-22T12:19:17.404Z

cve-icon NVD

Status : Received

Published: 2026-05-22T05:16:28.067

Modified: 2026-05-22T05:16:28.067

Link: CVE-2026-9018

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T06:30:29Z

Weaknesses