CVE-2026-9018
Privilege Escalation in Easy Elements for Elementor WordPress Plugin
Publication date: 2026-05-22
Last updated on: 2026-05-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| easy_elements | easy_elements_for_elementor | to 1.4.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Easy Elements for Elementor β Addons & Website Templates plugin for WordPress has a privilege escalation vulnerability in versions up to and including 1.4.5. This occurs via the easyel_handle_register() function, where an AJAX handler processes an attacker-controlled custom_meta POST array without filtering keys. As a result, an attacker can overwrite the wp_capabilities user meta key after a new user is created, allowing them to assign administrator-level privileges to a newly registered account.
Exploitation requires that user registration is enabled on the WordPress site and that at least one page exposes the Login/Register widget, which includes a nonce (easy_elements_nonce) accessible to unauthenticated visitors. By supplying custom_meta[wp_capabilities][administrator]=1 during registration, an attacker can gain full admin rights.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to create new user accounts with full administrator privileges on the affected WordPress site. This can lead to complete site takeover, including the ability to modify content, install malicious plugins or themes, access sensitive data, and disrupt site operations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if your WordPress site is running the Easy Elements for Elementor plugin version 1.4.5 or earlier, and if user registration is enabled.
You can also monitor for suspicious HTTP POST requests to the AJAX handler endpoint that include the parameter 'custom_meta[wp_capabilities][administrator]=1', which indicates an attempt to escalate privileges.
A possible command to detect such attempts in web server logs (assuming Apache) is:
- grep -i 'custom_meta\[wp_capabilities\]\[administrator\]=1' /var/log/apache2/access.log
Additionally, you can search for the presence of the 'easy_elements_nonce' in page source or monitor GET requests that retrieve this nonce, as it is required for exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Disable user registration on your WordPress site until the vulnerability is patched.
- Remove or restrict access to any pages exposing the Login/Register widget that publishes the 'easy_elements_nonce' in the DOM.
- Update the Easy Elements for Elementor plugin to a version later than 1.4.5 where this vulnerability is fixed.
- Monitor your user accounts for any unauthorized administrator accounts and remove them immediately.