CVE-2026-9018

May 22, 2026, 5:16 a.m.

8.8
High

Description

The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.5 via the `easyel_handle_register()` function. This is due to the `wp_ajax_nopriv_eel_register` AJAX handler iterating the attacker-controlled `custom_meta` POST array and writing every supplied key-value pair to the newly created user's meta via `update_user_meta()` without any key whitelist or blocklist, allowing the `wp_capabilities` user meta key to be overwritten after `wp_insert_user()` has already assigned a safe role. This makes it possible for unauthenticated attackers to register a new account with full administrator-level privileges by supplying `custom_meta[wp_capabilities][administrator]=1`. Exploitation requires that user registration is enabled on the site and that at least one page exposes the Login/Register widget, which publishes the required `easy_elements_nonce` into the page DOM where it can be retrieved by any unauthenticated visitor via a simple GET request.

Product(s) Impacted

Vendor Product Versions
Wordpress
  • Easy Elements
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-269
Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a wordpress easy_elements / / / / / wordpress / /

References

https://plugins.trac.wordpress.org/browser/easy-elements/tags/1.4.5/includes/Utils/Enqueue.php#L200
https://plugins.trac.wordpress.org/browser/easy-elements/tags/1.4.5/widgets/login-register/class.login-register.php#L128
https://plugins.trac.wordpress.org/browser/easy-elements/tags/1.4.5/widgets/login-register/class.login-register.php#L65
https://plugins.trac.wordpress.org/browser/easy-elements/tags/1.4.5/widgets/login-register/class.login-register.php#L9
https://www.wordfence.com/threat-intel/vulnerabilities/id/f1de4899-532a-4558-bff0-f4610bfdd49d?source=cve

Tags

[email protected]
CWE-269
2026-05-22
CVE-2026-9018

CVSS Score

8.8 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    View Vector String

Timeline

Published: May 22, 2026, 5:16 a.m.
Last Modified: May 22, 2026, 5:16 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.