CVE-2026-4326 is a missing authorization vulnerability (CWE-862) in the Vertex Addons for Elementor WordPress plugin (versions up to 1.6.4). The vulnerability arises because the activate_required_plugins() function performs a capability check using current_user_can('install_plugins') but does not halt execution if the check fails. Instead, it only sets an error message variable, allowing the plugin installation and activation code to proceed regardless of user permissions. This flaw enables authenticated users with minimal privileges (Subscriber or higher) to install and activate arbitrary plugins, potentially leading to full site compromise. The vulnerability has a CVSS 3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high impact on confidentiality, integrity, and availability. No patch or official remediation is currently documented.

An attacker with authenticated access at Subscriber level or above can exploit this vulnerability to install and activate arbitrary plugins on the affected WordPress site. This can lead to complete site compromise, including unauthorized code execution, data disclosure, and denial of service. The high CVSS score (8.8) reflects the critical impact on confidentiality, integrity, and availability. There are no known exploits in the wild reported so far.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict authenticated user roles to trusted individuals only and consider disabling or removing the vulnerable plugin. Monitor for updates from the vendor or WordPress plugin repository for an official patch. Avoid granting install_plugins capability to untrusted users.