Orawautsukushiii

**Name of the Vulnerable Software and Affected Versions** Easy Elements for Elementor – Addons & Website Templates versions prior to 1.4.6 **Description** An issue exists in the `easyel handle register()` function where the `wp ajax nopriv eel register` AJAX handler processes the `custom meta` POST array. The handler writes all supplied key-value pairs to the new user's meta using `update user meta()` without utilizing a whitelist or blocklist. This allows an unauthenticated attacker to overwrite the `wp capabilities` user meta key after a safe role has been assigned by `wp insert user()`. By providing `custom meta[wp capabilities][administrator]=1`, an attacker can register an account with full administrator privileges. This requires user registration to be enabled and a page to expose the Login/Register widget, which reveals the `easy elements nonce` in the page DOM. **Recommendations** Update the plugin to a version later than 1.4.5. As a temporary workaround, disable user registration on the site or remove the Login/Register widget from all pages to prevent the exposure of the `easy elements nonce` and the use of the registration handler.