CVE-2026-2386 is an Incorrect Authorization vulnerability (CWE-863) found in The Plus Addons for Elementor plugin for WordPress, affecting all versions up to and including 6.4.7. The vulnerability stems from the tpae_create_page() AJAX handler, which authorizes users solely based on the 'edit_posts' capability. However, it accepts a user-controlled 'post_type' parameter that is passed directly to wp_insert_post() without verifying if the user has the appropriate capabilities for that specific post type. This means that authenticated users with Author-level permissions or higher can create draft posts of restricted post types such as 'page' or 'nxt_builder', which are normally reserved for higher privilege roles. The lack of post-type-specific capability checks allows privilege escalation in terms of content creation, potentially enabling attackers to inject unauthorized content or prepare posts that could be published later by higher-privileged users. The vulnerability does not allow direct content publishing or affect confidentiality or availability but compromises the integrity of the content management process. Exploitation requires authenticated access but no additional user interaction. The CVSS 3.1 base score is 4.3 (medium), reflecting the limited scope and impact. No patches or exploits are currently reported, but the issue is publicly disclosed and should be addressed promptly.

For European organizations, this vulnerability poses a risk primarily to the integrity of WordPress-managed content, especially for sites using The Plus Addons for Elementor plugin with multiple authors or editors. Unauthorized draft posts of restricted types could be created by attackers with Author-level access, potentially leading to content manipulation, misinformation, or preparation of malicious content for future publication. This could damage brand reputation, mislead customers, or disrupt e-commerce operations if WooCommerce-related post types are affected. Although confidentiality and availability are not directly impacted, the integrity compromise could facilitate social engineering or phishing campaigns if malicious content is published later. Organizations with strict content governance or regulatory compliance requirements (e.g., GDPR) may face additional risks if unauthorized content leads to data exposure or misinformation. The vulnerability is particularly relevant for websites with collaborative content creation workflows and those relying on this plugin for page templates, widgets, or mega menus.

To mitigate CVE-2026-2386, European organizations should: 1) Immediately update The Plus Addons for Elementor plugin to a patched version once available, as no official patch links are currently provided. 2) In the interim, restrict Author-level user permissions where possible, limiting the number of users with such access to reduce the attack surface. 3) Implement custom capability checks or filters in WordPress to enforce post-type-specific authorization before allowing post creation via AJAX handlers. 4) Monitor WordPress audit logs for unusual draft post creations, especially of restricted post types like 'page' or 'nxt_builder'. 5) Employ web application firewalls (WAFs) with rules to detect and block suspicious AJAX requests targeting the vulnerable handler. 6) Educate content managers and administrators to review draft posts carefully before publishing, to detect unauthorized content. 7) Regularly review user roles and permissions to ensure least privilege principles are enforced. 8) Consider disabling or limiting the use of the vulnerable plugin features if immediate patching is not feasible.