CVE-2026-2386
Incorrect Authorization in The Plus Addons for Elementor Allows Draft Post Creation
Publication date: 2026-02-18
Last updated on: 2026-02-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| the_plus_addons | the_plus_addons_for_elementor | to 6.4.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in The Plus Addons for Elementor WordPress plugin, versions up to and including 6.4.7. It is an Incorrect Authorization issue caused by the tpae_create_page() AJAX handler. This handler only checks if a user has the 'edit_posts' capability but does not verify if the user has the correct permissions for the specific post type they are trying to create.
Because the 'post_type' parameter is user-controlled and passed directly to the wp_insert_post() function without additional capability checks, an authenticated attacker with Author-level access or higher can create draft posts of restricted post types such as 'page' or 'nxt_builder'.
How can this vulnerability impact me? :
This vulnerability allows an authenticated user with Author-level permissions or higher to create arbitrary draft posts for restricted post types that they normally should not be able to create.
This could lead to unauthorized content creation, potentially allowing attackers to insert unwanted or malicious content into the website's draft posts, which might later be published or used to exploit other parts of the site.
While it does not directly allow content publishing or site takeover, it weakens the authorization controls and could be leveraged in a broader attack scenario.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The vulnerability exists in all versions up to and including 6.4.7 of The Plus Addons for Elementor plugin.
To mitigate this vulnerability, you should update the plugin to a version later than 6.4.7 where the issue is presumably fixed.
Since the provided changeset for version 6.4.8 does not explicitly mention a security fix, it is recommended to monitor official plugin updates or security advisories for a confirmed patch.
Additionally, restrict Author-level user permissions carefully, as the vulnerability allows authenticated users with Author-level access and above to create arbitrary draft posts of restricted post types.