CVE-2026-25440

Vulnerability

The Essential Addons for Elementor plugin for WordPress versions prior to 6.6.0 contain a broken access control vulnerability [1]. This missing authorization or nonce token check allows unauthenticated users to perform actions that should require higher privileges [1]. The vulnerability affects all versions below 6.6.0.

Exploitation

An attacker can exploit this vulnerability without authentication by sending crafted requests to the vulnerable plugin endpoints [1]. No special network position or user interaction is required. The vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites [1].

Impact

Successful exploitation allows an unprivileged attacker to execute higher privileged actions, potentially leading to unauthorized modification of site content or settings [1]. The CVSS score is 5.3 (Medium), indicating moderate impact on confidentiality, integrity, or availability [1].

Mitigation

The vulnerability is fixed in version 6.6.0 of the Essential Addons for Elementor plugin [1]. Users should update to version 6.6.0 or later immediately. Patchstack users can enable auto-update for vulnerable plugins [1]. If unable to update, consult hosting provider or web developer for assistance [1].