CVE-2026-15155
Received Received - Intake

Authenticated Account Takeover via Email Header Injection in Essential Addons for Elementor

Vulnerability report for CVE-2026-15155, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-11

Last updated on: 2026-07-11

Assigner: Wordfence

Description

The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and including, 6.6.10 This is due to insufficient server-side validation of a Login/Register widget setting used to construct outgoing email headers β€” the allowed-values restriction is enforced only in the client-side editor UI and not on the server, and the applied sanitization does not strip or encode CR/LF characters, allowing CRLF sequences stored in that setting to survive into raw mail headers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject an additional Bcc header into the WordPress administrator's password-reset notification email, receive a copy of a valid administrator password-reset link, and achieve full administrator account takeover.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-11
Last Modified
2026-07-11
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
essential_addons essential_addons_for_elementor to 6.6.10 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the Essential Addons for Elementor plugin for WordPress, specifically in versions up to and including 6.6.10. It is an Authenticated Account Takeover vulnerability caused by Email Header Injection.

The issue arises because the plugin does not properly validate a Login/Register widget setting on the server side. While the client-side editor UI restricts allowed values, the server does not enforce these restrictions and fails to sanitize carriage return and line feed (CR/LF) characters.

This allows an authenticated attacker with Contributor-level access or higher to inject additional email headers, such as a Bcc header, into the administrator's password-reset notification email. By doing so, the attacker can receive a copy of the administrator's password-reset link and take over the administrator account.

Impact Analysis

This vulnerability can have severe impacts as it allows an attacker with relatively low privileges (Contributor-level access) to escalate their privileges to full administrator control.

By injecting a Bcc header into password-reset emails, the attacker can intercept the administrator's password-reset link, reset the administrator password, and gain full control over the WordPress site.

This can lead to complete compromise of the website, including unauthorized access to sensitive data, modification or deletion of content, installation of malicious code, and disruption of site operations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15155. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart