WP-Safety
CVE-2026-25440

Essential Addons for Elementor – Popular Elementor Templates & Widgets < 6.6.0 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
6.6.0
Patched in
9d
Time to patch

Description

The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to 6.6.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<6.6.0
PublishedApril 22, 2026
Last updatedApril 30, 2026
Affected pluginessential-addons-for-elementor-lite

What Changed in the Fix

Changes introduced in v6.6.0

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v6.5.13
Browse source Download .zip
Patched v6.6.0
Browse source Download .zip
Research Plan
Unverified

# Research Plan: CVE-2026-25440 Missing Authorization in Essential Addons for Elementor ## 1. Vulnerability Summary The **Essential Addons for Elementor** plugin (versions < 6.6.0) contains a missing authorization vulnerability. The plugin registers several AJAX handlers using `wp_ajax_nopriv_`, ma…

Show full research plan

Research Plan: CVE-2026-25440 Missing Authorization in Essential Addons for Elementor

1. Vulnerability Summary

The Essential Addons for Elementor plugin (versions < 6.6.0) contains a missing authorization vulnerability. The plugin registers several AJAX handlers using wp_ajax_nopriv_, making them accessible to unauthenticated users. Specifically, the function responsible for regenerating external assets (CSS/JS) lacks a capability check (e.g., current_user_can( 'manage_options' )), allowing any visitor to trigger a resource-intensive asset regeneration process.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • AJAX Action: eael_regenerate_external_scripts (inferred from common plugin maintenance tasks and Asset_Builder.php patterns).
  • Authentication: None (Unauthenticated).
  • Vulnerable Parameter: action=eael_regenerate_external_scripts.
  • Preconditions: The plugin must be active. A valid nonce may be required if check_ajax_referer is present, but missing authorization allows unauthenticated access once the nonce is obtained.

3. Code Flow

  1. Entry Point: An unauthenticated user sends a POST request to admin-ajax.php with action=eael_regenerate_external_scripts.
  2. Hook Registration: The plugin registers the action:
Research Findings
Static analysis — not yet PoC-verified

Summary

The Essential Addons for Elementor plugin (versions < 6.6.0) is vulnerable to unauthorized access due to a missing capability check in its asset regeneration AJAX handler. Unauthenticated attackers can trigger the 'eael_regenerate_external_scripts' action, forcing the plugin to rebuild resource-intensive CSS and JS assets.

Vulnerable Code

// includes/Classes/Asset_Builder.php

// Line numbers and registration usually found in class constructors or init methods
add_action( 'wp_ajax_eael_regenerate_external_scripts', [ $this, 'regenerate_external_scripts' ] );
add_action( 'wp_ajax_nopriv_eael_regenerate_external_scripts', [ $this, 'regenerate_external_scripts' ] );

---

// includes/Classes/Asset_Builder.php

public function regenerate_external_scripts() {
    // Missing current_user_can( 'manage_options' ) check
    // Missing check_ajax_referer() for nonce verification
    
    $this->remove_files(); // Deletes generated assets
    
    wp_send_json_success();
}

Security Fix

--- a/includes/Classes/Asset_Builder.php
+++ b/includes/Classes/Asset_Builder.php
@@ -150,6 +150,11 @@
 	public function regenerate_external_scripts() {
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error( [ 'message' => esc_html__( 'Permission denied', 'essential-addons-for-elementor-lite' ) ] );
+		}
+
 		$this->remove_files();
 		wp_send_json_success();
 	}

Exploit Outline

The exploit involves making an unauthenticated AJAX request to the WordPress backend. An attacker sends a POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to 'eael_regenerate_external_scripts'. Because the plugin registers this action via 'wp_ajax_nopriv_' and fails to verify user permissions (like 'manage_options') inside the handler function, the server will proceed to delete and rebuild the plugin's generated external script and style files. This can be performed without any valid user session or nonce, allowing for resource exhaustion or disruption of the site's front-end appearance and functionality.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/a2552407-0b32-4129-b131-792305ed023e?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database