CVE-2026-9018
Description
The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.5 via the easyel_handle_register() function. This is due to the wp_ajax_nopriv_eel_register AJAX handler iterating the attacker-controlled custom_meta POST array and writing every supplied key-value pair to the newly created user's meta via update_user_meta() without any key whitelist or blocklist, allowing the wp_capabilities user meta key to be overwritten after wp_insert_user() has already assigned a safe role. This makes it possible for unauthenticated attackers to register a new account with full administrator-level privileges by supplying custom_meta[wp_capabilities][administrator]=1. Exploitation requires that user registration is enabled on the site and that at least one page exposes the Login/Register widget, which publishes the required easy_elements_nonce into the page DOM where it can be retrieved by any unauthenticated visitor via a simple GET request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated privilege escalation in Easy Elements for Elementor ≤1.4.5 lets attackers register as admin by overwriting `wp_capabilities` via the AJAX registration handler.
Vulnerability
The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress versions up to and including 1.4.5 contains a privilege escalation vulnerability in the easyel_handle_register() function, exposed via the wp_ajax_nopriv_eel_register AJAX handler. The function passes user-supplied custom_meta POST array directly to update_user_meta() without any key whitelist or blocklist. This allows an attacker to overwrite the wp_capabilities user meta key after wp_insert_user() has already assigned a safe role, enabling arbitrary role assignment. The registration form must be enabled (site option users_can_register) and a page must include the Login/Register widget, which exposes the easy_elements_nonce in the DOM. [1] [2] [3] [4]
Exploitation
An unauthenticated attacker must submit a POST request to the AJAX endpoint with the required nonce and the parameter custom_meta[wp_capabilities][administrator]=1. The nonce can be retrieved from the page HTML of any site page that contains the Login/Register widget (the widget publishes the nonce in a script or element). No prior authentication or user interaction is required. The function then creates a new user with the provided credentials and immediately applies the attacker-specified wp_capabilities, granting full Administrator privileges. [2] [3] [4]
Impact
Successful exploitation results in the creation of an administrator-level account that the attacker fully controls. The attacker can then log in and gain complete control over the WordPress site, including the ability to upload files, install plugins, modify content, and execute arbitrary code. The confidentiality, integrity, and availability of the site are fully compromised. [2] [3]
Mitigation
The fixed version is not explicitly specified in the available references. As of the publication date (2026-05-22), no patch release has been announced; users should disable the Login/Register widget and consider disabling user registration until an update from the vendor is available. This vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
- https://plugins.trac.wordpress.org/browser/easy-elements/tags/1.4.5/includes/Utils/Enqueue.php#L200
- https://plugins.trac.wordpress.org/browser/easy-elements/tags/1.4.5/widgets/login-register/class.login-register.php#L65
- https://plugins.trac.wordpress.org/browser/easy-elements/tags/1.4.5/widgets/login-register/class.login-register.php#L128
- https://plugins.trac.wordpress.org/browser/easy-elements/tags/1.4.5/widgets/login-register/class.login-register.php#L9
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.4.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/easy-elements/tags/1.4.5/includes/Utils/Enqueue.phpnvd
- plugins.trac.wordpress.org/browser/easy-elements/tags/1.4.5/widgets/login-register/class.login-register.phpnvd
- plugins.trac.wordpress.org/browser/easy-elements/tags/1.4.5/widgets/login-register/class.login-register.phpnvd
- plugins.trac.wordpress.org/browser/easy-elements/tags/1.4.5/widgets/login-register/class.login-register.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/f1de4899-532a-4558-bff0-f4610bfdd49dnvd
News mentions
0No linked articles in our index yet.