CVE-2026-9018
Received Received - Intake
Privilege Escalation in Easy Elements for Elementor WordPress Plugin

Publication date: 2026-05-22

Last updated on: 2026-05-22

Assigner: Wordfence

Description
The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.5 via the `easyel_handle_register()` function. This is due to the `wp_ajax_nopriv_eel_register` AJAX handler iterating the attacker-controlled `custom_meta` POST array and writing every supplied key-value pair to the newly created user's meta via `update_user_meta()` without any key whitelist or blocklist, allowing the `wp_capabilities` user meta key to be overwritten after `wp_insert_user()` has already assigned a safe role. This makes it possible for unauthenticated attackers to register a new account with full administrator-level privileges by supplying `custom_meta[wp_capabilities][administrator]=1`. Exploitation requires that user registration is enabled on the site and that at least one page exposes the Login/Register widget, which publishes the required `easy_elements_nonce` into the page DOM where it can be retrieved by any unauthenticated visitor via a simple GET request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-22
Last Modified
2026-05-22
Generated
2026-06-11
AI Q&A
2026-05-22
EPSS Evaluated
2026-06-10
NVD
CVE-2026-9018
EUVD
EUVD-2026-31410
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
easy_elements easy_elements_for_elementor to 1.4.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress has a privilege escalation vulnerability in versions up to and including 1.4.5. This occurs via the easyel_handle_register() function, where an AJAX handler processes an attacker-controlled custom_meta POST array without filtering keys. As a result, an attacker can overwrite the wp_capabilities user meta key after a new user is created, allowing them to assign administrator-level privileges to a newly registered account.

Exploitation requires that user registration is enabled on the WordPress site and that at least one page exposes the Login/Register widget, which includes a nonce (easy_elements_nonce) accessible to unauthenticated visitors. By supplying custom_meta[wp_capabilities][administrator]=1 during registration, an attacker can gain full admin rights.

Impact Analysis

This vulnerability allows unauthenticated attackers to create new user accounts with full administrator privileges on the affected WordPress site. This can lead to complete site takeover, including the ability to modify content, install malicious plugins or themes, access sensitive data, and disrupt site operations.

Detection Guidance

Detection of this vulnerability involves checking if your WordPress site is running the Easy Elements for Elementor plugin version 1.4.5 or earlier, and if user registration is enabled.

You can also monitor for suspicious HTTP POST requests to the AJAX handler endpoint that include the parameter 'custom_meta[wp_capabilities][administrator]=1', which indicates an attempt to escalate privileges.

A possible command to detect such attempts in web server logs (assuming Apache) is:

  • grep -i 'custom_meta\[wp_capabilities\]\[administrator\]=1' /var/log/apache2/access.log

Additionally, you can search for the presence of the 'easy_elements_nonce' in page source or monitor GET requests that retrieve this nonce, as it is required for exploitation.

Mitigation Strategies

Immediate mitigation steps include:

  • Disable user registration on your WordPress site until the vulnerability is patched.
  • Remove or restrict access to any pages exposing the Login/Register widget that publishes the 'easy_elements_nonce' in the DOM.
  • Update the Easy Elements for Elementor plugin to a version later than 1.4.5 where this vulnerability is fixed.
  • Monitor your user accounts for any unauthorized administrator accounts and remove them immediately.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9018. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart