What the vulnerability does
01Description
The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 6.4.7. This is due to the tpae_create_page() AJAX handler authorizing users only with current_user_can('edit_posts') while accepting a user-controlled 'post_type' value passed directly to wp_insert_post() without post-type-specific capability checks. This makes it possible for authenticated attackers, with Author-level access and above, to create arbitrary draft posts for restricted post types (e.g., 'page' and 'nxt_builder') via the 'post_type' parameter.
Explanation of Vulnerability in Simple Terms
02Summary
The Plus Addons for Elementor contains an authorization flaw in versions up to 6.4.7 that allows authenticated users to modify content they should not have access to. An attacker with a low-privilege account can alter data through the plugin's functionality. The vulnerability requires a valid user account but no additional user interaction. Update to a version newer than 6.4.7 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Modify or alter content and data they should not have permission to change.
Potential impact on your site
04Site Impact
Unauthorized users can alter site content, potentially corrupting data or defacing pages.
Conditions required to exploit
05Prerequisites
Attacker must have a valid low-privilege user account on the site.
Key dates
06Disclosure timeline
February 18, 2026
CVE published
April 8, 2026
Record updated