CVE-2026-42629
Deferred Deferred - Pending Action

Unauthenticated Broken Authentication in PowerPack Pro for Elementor

Vulnerability report for CVE-2026-42629, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description

Unauthenticated Broken Authentication in PowerPack Pro for Elementor < v2.13.0 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-07-08
AI Q&A
2026-06-17
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
powerpack_pro elementor to 2.13.0 (exc)
powerpack powerpack_pro_for_elementor to 2.13.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows attackers to gain unauthorized admin access by exploiting broken authentication in the PowerPack Pro for Elementor plugin. Such unauthorized access can lead to exposure, modification, or deletion of sensitive data.

This type of security breach can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access.

Failure to address this vulnerability could result in violations of these regulations due to potential data breaches or unauthorized data manipulation.

Detection Guidance

The vulnerability in PowerPack Pro for Elementor versions prior to 2.13.0 is related to broken authentication that allows unauthorized admin access via crafted links, pages, or form submissions.

Detection can focus on monitoring for suspicious HTTP requests that attempt to exploit authentication mechanisms, such as unusual POST requests or access attempts to admin endpoints without proper credentials.

Since Patchstack has issued a mitigation rule to block attacks until the plugin is updated, applying this rule can help detect and prevent exploitation attempts.

  • Use web server logs or intrusion detection systems to look for unusual requests targeting the PowerPack Pro for Elementor plugin endpoints.
  • Monitor for HTTP requests containing suspicious parameters or payloads that could be part of crafted links or form submissions aiming to bypass authentication.
  • Commands such as `grep` on web server logs can be used to filter suspicious requests, for example: `grep -i 'powerpack' /var/log/apache2/access.log` or `grep -i 'elementor' /var/log/nginx/access.log`.
  • Use network monitoring tools like Wireshark or tcpdump to capture and analyze HTTP traffic for signs of exploitation attempts.
  • Apply the Patchstack mitigation rule if available, which may include specific firewall or WAF rules to block known attack patterns.
Executive Summary

CVE-2026-42629 is a high-priority Broken Authentication vulnerability in the WordPress PowerPack Pro for Elementor Plugin versions prior to 2.13.0.

This vulnerability allows attackers to perform actions that are normally restricted to higher-privileged users, potentially gaining unauthorized admin access.

Exploitation involves a privileged user interacting with a malicious link, crafted page, or form submission.

Impact Analysis

The vulnerability can lead to unauthorized administrative access, allowing attackers to perform high-impact actions such as modifying site content, changing configurations, or installing malicious code.

Because of the high CVSS score of 8.8, it is considered highly dangerous and likely to be targeted in mass-exploit campaigns.

If exploited, it can severely compromise the security and integrity of your WordPress site.

Mitigation Strategies

Immediate action is advised to mitigate this vulnerability.

  • Update the PowerPack Pro for Elementor plugin to version 2.13.0 or later.
  • Apply the mitigation rule issued by Patchstack to block attacks until the update is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42629. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart