CVE-2026-9018: CWE-269 Improper Privilege Management in themewant Easy Elements for Elementor – Addons & Website Templates
The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.5 via the `easyel_handle_register()` function. This is due to the `wp_ajax_nopriv_eel_register` AJAX handler iterating the attacker-controlled `custom_meta` POST array and writing every supplied key-value pair to the newly created user's meta via `update_user_meta()` without any key whitelist or blocklist, allowing the `wp_capabilities` user meta key to be overwritten after `wp_insert_user()` has already assigned a safe role. This makes it possible for unauthenticated attackers to register a new account with full administrator-level privileges by supplying `custom_meta[wp_capabilities][administrator]=1`. Exploitation requires that user registration is enabled on the site and that at least one page exposes the Login/Register widget, which publishes the required `easy_elements_nonce` into the page DOM where it can be retrieved by any unauthenticated visitor via a simple GET request.
AI Analysis
Technical Summary
CVE-2026-9018 is a privilege escalation vulnerability in the Easy Elements for Elementor – Addons & Website Templates WordPress plugin (up to version 1.4.5). The vulnerability arises from the `easyel_handle_register()` function, which processes the `wp_ajax_nopriv_eel_register` AJAX request. It iterates over the attacker-controlled `custom_meta` POST array and writes each key-value pair to the new user's metadata using `update_user_meta()` without any whitelist or blocklist filtering. This allows an attacker to overwrite the `wp_capabilities` meta key after the user is created, effectively assigning administrator privileges to the new account. Successful exploitation requires that user registration is enabled on the WordPress site and that the Login/Register widget is present on at least one page to expose the necessary nonce token. The vulnerability is rated high severity with a CVSS 3.1 score of 8.8 (Network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, high confidentiality, integrity, and availability impacts). There is no vendor advisory or patch currently available, and no known exploits in the wild have been reported.
Potential Impact
An unauthenticated attacker can create a new user account with full administrator privileges on a vulnerable WordPress site. This allows complete control over the site, including the ability to modify content, install plugins or themes, and potentially compromise the entire hosting environment. The impact affects confidentiality, integrity, and availability of the affected system. Exploitation requires user registration to be enabled and the presence of the Login/Register widget exposing the nonce, which may limit exposure to some sites but remains a critical risk for those configured accordingly.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should consider disabling user registration on the affected WordPress site if it is not required. Additionally, removing or restricting access to the Login/Register widget that exposes the `easy_elements_nonce` can reduce the attack surface. Monitoring for plugin updates from themewant is recommended to apply any forthcoming official patches promptly.
CVE-2026-9018: CWE-269 Improper Privilege Management in themewant Easy Elements for Elementor – Addons & Website Templates
Description
The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.5 via the `easyel_handle_register()` function. This is due to the `wp_ajax_nopriv_eel_register` AJAX handler iterating the attacker-controlled `custom_meta` POST array and writing every supplied key-value pair to the newly created user's meta via `update_user_meta()` without any key whitelist or blocklist, allowing the `wp_capabilities` user meta key to be overwritten after `wp_insert_user()` has already assigned a safe role. This makes it possible for unauthenticated attackers to register a new account with full administrator-level privileges by supplying `custom_meta[wp_capabilities][administrator]=1`. Exploitation requires that user registration is enabled on the site and that at least one page exposes the Login/Register widget, which publishes the required `easy_elements_nonce` into the page DOM where it can be retrieved by any unauthenticated visitor via a simple GET request.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-9018 is a privilege escalation vulnerability in the Easy Elements for Elementor – Addons & Website Templates WordPress plugin (up to version 1.4.5). The vulnerability arises from the `easyel_handle_register()` function, which processes the `wp_ajax_nopriv_eel_register` AJAX request. It iterates over the attacker-controlled `custom_meta` POST array and writes each key-value pair to the new user's metadata using `update_user_meta()` without any whitelist or blocklist filtering. This allows an attacker to overwrite the `wp_capabilities` meta key after the user is created, effectively assigning administrator privileges to the new account. Successful exploitation requires that user registration is enabled on the WordPress site and that the Login/Register widget is present on at least one page to expose the necessary nonce token. The vulnerability is rated high severity with a CVSS 3.1 score of 8.8 (Network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, high confidentiality, integrity, and availability impacts). There is no vendor advisory or patch currently available, and no known exploits in the wild have been reported.
Potential Impact
An unauthenticated attacker can create a new user account with full administrator privileges on a vulnerable WordPress site. This allows complete control over the site, including the ability to modify content, install plugins or themes, and potentially compromise the entire hosting environment. The impact affects confidentiality, integrity, and availability of the affected system. Exploitation requires user registration to be enabled and the presence of the Login/Register widget exposing the nonce, which may limit exposure to some sites but remains a critical risk for those configured accordingly.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should consider disabling user registration on the affected WordPress site if it is not required. Additionally, removing or restricting access to the Login/Register widget that exposes the `easy_elements_nonce` can reduce the attack surface. Monitoring for plugin updates from themewant is recommended to apply any forthcoming official patches promptly.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-05-19T14:38:27.978Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0fe2c7e1370fbb4890d7da
Added to database: 5/22/2026, 4:59:51 AM
Last enriched: 5/22/2026, 5:14:55 AM
Last updated: 5/23/2026, 7:56:29 PM
Views: 54
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.