CVE-2026-7665 MEDIUM

CVE-2026-7665: Essential Addons for Elementor <= 6.6.4 - Missing Authorization to Unauthenticated Information Exposure via 'load_more' AJAX Handler

Vendor Wpdevteam
Product Essential Addons for Elementor – Popular Elementor Templates & Widgets
Weakness CWE-639 · IDOR
Published June 6, 2026
Last update June 6, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.6.4 via the ajax_load_more function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.

Explanation of Vulnerability in Simple Terms

02Summary

Essential Addons for Elementor versions up to 6.6.4 contain an information disclosure vulnerability. An attacker can read sensitive data without authentication or user interaction. The vulnerability affects the plugin's handling of data exposure, allowing unauthorized access to non-critical information. Update to a version newer than 6.6.4 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Read sensitive information from the site without logging in.

Potential impact on your site

04Site Impact

Visitor or attacker can access non-critical sensitive data exposed by the plugin.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

June 6, 2026 CVE published
June 6, 2026 Record updated

Related vulnerabilities

08Related CVE