CVE-2026-27983
Incorrect Privilege Assignment in LMS Elementor Pro Enables Escalation
Publication date: 2026-03-05
Last updated on: 2026-03-06
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| designthemes | lms_elementor_pro | to 1.0.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27983 is a high-severity privilege escalation vulnerability in the WordPress LMS Elementor Pro Plugin versions up to and including 1.0.4.
This vulnerability is classified under OWASP Top 10 A1: Broken Access Control and allows an unauthenticated attacker with low privileges to escalate their access rights to higher privileges.
By exploiting this issue, an attacker can potentially gain full control over the affected website.
How can this vulnerability impact me? :
The vulnerability allows attackers to escalate their privileges from low or unauthenticated access to higher privileges, potentially gaining full control over the affected website.
This can lead to unauthorized actions such as modifying website content, accessing sensitive data, or disrupting website operations.
Given the CVSS score of 9.8, the risk of exploitation is critical and the impact on affected systems can be severe.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific information provided about commands or methods to detect this vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Since no official patch is currently available for CVE-2026-27983, immediate mitigation involves applying the mitigation rule released by Patchstack to block attacks exploiting this vulnerability.'}, {'type': 'paragraph', 'content': 'Users are strongly advised to implement this mitigation immediately to protect their sites.'}, {'type': 'paragraph', 'content': "Additionally, using Patchstack's automated vulnerability mitigation and continuous security monitoring can help safeguard WordPress sites against such threats."}] [1]