We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

Easy Elements for Elementor – Addons & Website Templates Plugin Vulnerability (CVE-2026-9018)

Nick Paliughi
On this page

Security Alert Summary

The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress contains a privilege escalation vulnerability (CVE-2026-9018) that can allow an unauthenticated attacker to register a new account with administrator-level privileges by controlling user meta written during the plugin’s registration AJAX handler. Exploitation requires that user registration be enabled and that the Login/Register widget expose the plugin nonce in the page DOM.

CVE Details

  • CVE ID: CVE-2026-9018
  • Affected component: Easy Elements for Elementor – Addons & Website Templates plugin for WordPress
  • Affected versions: All versions up to and including 1.4.5
  • Published: May 22, 2026, 05:16:28 AM
  • Last modified: May 22, 2026, 05:16:28 AM
  • CVSS v3.1 base score: 8.8
  • Severity: HIGH
  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Attack vector / complexity: Network / Low
  • Authentication / privileges / user interaction: Authentication: None (unauthenticated request path available); Privileges required: Low (PR:L); User interaction: None (UI:N)
  • Primary impact: Confidentiality: High; Integrity: High; Availability: High
  • CWE: CWE-269

Technical Details

The vulnerability exists in the plugin’s registration handling via the easyel_handle_register() function and the wp_ajax_nopriv_eel_register AJAX handler. The handler iterates an attacker-controlled custom_meta POST array and calls update_user_meta() for each supplied key-value pair without enforcing a whitelist or blocklist of allowed meta keys.

Because the code updates user meta after calling wp_insert_user(), an attacker can overwrite the wp_capabilities meta key by supplying a value such as custom_meta[wp_capabilities][administrator]=1. This allows a newly created user to be assigned administrator-level capabilities despite the safe role assignment performed earlier.

Successful exploitation requires two conditions noted in the report: that WordPress user registration is enabled on the site, and that at least one page publishes the Login/Register widget which outputs the easy_elements_nonce into the DOM. The nonce can be retrieved by an unauthenticated visitor via a simple GET request and then used to submit the malicious registration POST data.

How This Could Impact Your Website

In a realistic scenario, an external attacker visiting your site could register an account through the exposed Login/Register page, supply crafted custom_meta data, and obtain administrator privileges. That account could then be used to modify plugin and theme settings, create or edit content, install backdoors, or access sensitive site data.

For example, a site owner and internal staff who believe they control administrator access could find an unexpected administrator account present. An external contractor or contributor with access to content could be targeted in social engineering campaigns if account lists or emails are exposed. The presence of an unauthorized administrator also increases the risk of targeted phishing or other social engineering against staff and contributors.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Temporarily disable user registration if it is not required for your site.
  • Review and reduce unnecessary user roles, especially contributor and author roles.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins and audit active plugin code that exposes AJAX handlers without proper checks.
  • Monitor site activity and logs for unusual registration events or the creation of unexpected administrator accounts.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
KIA Subtitle Plugin Vulnerability (CVE-2026-7509)
Next Post
AudioIgniter Plugin Vulnerability (CVE-2026-8679)