VYPR
High severity8.8NVD Advisory· Published May 22, 2026· Updated May 22, 2026

CVE-2026-9018

CVE-2026-9018

Description

The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.5 via the easyel_handle_register() function. This is due to the wp_ajax_nopriv_eel_register AJAX handler iterating the attacker-controlled custom_meta POST array and writing every supplied key-value pair to the newly created user's meta via update_user_meta() without any key whitelist or blocklist, allowing the wp_capabilities user meta key to be overwritten after wp_insert_user() has already assigned a safe role. This makes it possible for unauthenticated attackers to register a new account with full administrator-level privileges by supplying custom_meta[wp_capabilities][administrator]=1. Exploitation requires that user registration is enabled on the site and that at least one page exposes the Login/Register widget, which publishes the required easy_elements_nonce into the page DOM where it can be retrieved by any unauthenticated visitor via a simple GET request.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

1