CVE-2026-45443

Vulnerability

The vulnerability is a missing authorization (broken access control) in the PDF for Elementor Forms + Drag And Drop Template Builder plugin for WordPress. Affected versions from n/a through 5.5.1. The plugin fails to properly check permissions on certain functions, allowing exploitation of incorrectly configured access control security levels. [1]

Exploitation

An attacker does not require authentication or any special privileges. They can send crafted requests to the vulnerable endpoints to trigger actions that should be restricted to higher-privileged users. No user interaction is needed. The attack vector is network-based. [1]

Impact

Successful exploitation could lead to unauthorized access to sensitive data or functionality, potentially allowing the attacker to modify or delete PDF templates, access form submissions, or perform other actions normally reserved for administrators. The CVSS score is 5.0 (Medium), indicating moderate impact on confidentiality and integrity. [1]

Mitigation

The vulnerability is fixed in version 5.6.1, released on an unknown date but available from the WordPress plugin repository. Users should update immediately. For those unable to update, consider disabling the plugin or implementing additional access controls via a web application firewall. Patchstack users can enable auto-updates. [1]