CVE-2026-1004

The Essential Addons for Elementor plugin for WordPress, in all versions up to and including 6.5.5, is vulnerable to sensitive information exposure through the 'eael_product_quickview_popup' function. The root cause is a missing access and visibility check when processing Quick View requests, allowing the function to return product data without verifying the product's publication status or the user's permissions. This affects the WooCommerce integration component of the plugin.

An unauthenticated attacker can exploit this by sending a crafted AJAX request to the Quick View endpoint with a product ID that corresponds to a WooCommerce product having a status of draft, pending, or private. The function originally lacked checks to ensure the product is visible or that the current user has the capability to view non-public posts. The attack requires no authentication and can be performed remotely over HTTP via the WordPress admin-ajax.php interface.

If successful, the attacker can retrieve full product information, including title, description, pricing, stock status, and other sensitive metadata for products that should not be publicly accessible. This constitutes a moderate (CVSS 5.3) primarily impacts confidentiality by exposing content intended to be hidden during editorial workflows or restricted access.

The plugin's vendor released a fix in commit 4e43db0, which adds visibility checks and post-status verification for non-admin users [1]. Users should update to version 6.5.6 or later to mitigate the issue. There are no known workarounds; upgrading the plugin is the recommended action.