CVE-2026-9018 HIGH

CVE-2026-9018: Easy Elements for Elementor – Addons & Website Templates <= 1.4.5 - Unauthenticated Privilege Escalation via 'custom_meta' Parameter

Vendor Themewant
Product Easy Elements for Elementor – Addons & Website Templates
Weakness CWE-269
Published May 22, 2026
Last update May 22, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.5 via the `easyel_handle_register()` function. This is due to the `wp_ajax_nopriv_eel_register` AJAX handler iterating the attacker-controlled `custom_meta` POST array and writing every supplied key-value pair to the newly created user's meta via `update_user_meta()` without any key whitelist or blocklist, allowing the `wp_capabilities` user meta key to be overwritten after `wp_insert_user()` has already assigned a safe role. This makes it possible for unauthenticated attackers to register a new account with full administrator-level privileges by supplying `custom_meta[wp_capabilities][administrator]=1`. Exploitation requires that user registration is enabled on the site and that at least one page exposes the Login/Register widget, which publishes the required `easy_elements_nonce` into the page DOM where it can be retrieved by any unauthenticated visitor via a simple GET request.

Explanation of Vulnerability in Simple Terms

02Summary

Easy Elements for Elementor versions up to 1.4.5 contain a privilege management flaw that allows authenticated users with low-level access to perform actions reserved for higher-privilege roles. An attacker with a basic user account can read, modify, or delete sensitive site data without proper authorization checks. Site administrators should update immediately to a version newer than 1.4.5.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete site data and settings without proper authorization.

Potential impact on your site

04Site Impact

Unauthorized users can compromise site content, settings, and data integrity.

Conditions required to exploit

05Prerequisites

Attacker needs a low-privilege user account on the site; no user interaction required.

Key dates

06Disclosure timeline

May 22, 2026 CVE published
May 22, 2026 Record updated

Related vulnerabilities

08Related CVE