CVE-2026-2386
Received Received - Intake
Incorrect Authorization in The Plus Addons for Elementor Allows Draft Post Creation

Publication date: 2026-02-18

Last updated on: 2026-02-18

Assigner: Wordfence

Description
The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 6.4.7. This is due to the tpae_create_page() AJAX handler authorizing users only with current_user_can('edit_posts') while accepting a user-controlled 'post_type' value passed directly to wp_insert_post() without post-type-specific capability checks. This makes it possible for authenticated attackers, with Author-level access and above, to create arbitrary draft posts for restricted post types (e.g., 'page' and 'nxt_builder') via the 'post_type' parameter.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2386
EUVD
EUVD-2026-7917
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
the_plus_addons the_plus_addons_for_elementor to 6.4.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in The Plus Addons for Elementor WordPress plugin, versions up to and including 6.4.7. It is an Incorrect Authorization issue caused by the tpae_create_page() AJAX handler. This handler only checks if a user has the 'edit_posts' capability but does not verify if the user has the correct permissions for the specific post type they are trying to create.

Because the 'post_type' parameter is user-controlled and passed directly to the wp_insert_post() function without additional capability checks, an authenticated attacker with Author-level access or higher can create draft posts of restricted post types such as 'page' or 'nxt_builder'.

Impact Analysis

This vulnerability allows an authenticated user with Author-level permissions or higher to create arbitrary draft posts for restricted post types that they normally should not be able to create.

This could lead to unauthorized content creation, potentially allowing attackers to insert unwanted or malicious content into the website's draft posts, which might later be published or used to exploit other parts of the site.

While it does not directly allow content publishing or site takeover, it weakens the authorization controls and could be leveraged in a broader attack scenario.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability exists in all versions up to and including 6.4.7 of The Plus Addons for Elementor plugin.

To mitigate this vulnerability, you should update the plugin to a version later than 6.4.7 where the issue is presumably fixed.

Since the provided changeset for version 6.4.8 does not explicitly mention a security fix, it is recommended to monitor official plugin updates or security advisories for a confirmed patch.

Additionally, restrict Author-level user permissions carefully, as the vulnerability allows authenticated users with Author-level access and above to create arbitrary draft posts of restricted post types.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2386. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart