CVE-2021-4331

Name of the Vulnerable Software and Affected Versions The Plus Addons for Elementor plugin for WordPress versions up to, and including 4.1.9 (pro) and 2.0.6 (free)

Description The plugin is vulnerable to privilege escalation due to a registration form that allows users to choose the default role for new users. This field is not hidden from lower-level users, such as contributors, who can set the default role to administrator. However, only author+ users can elevate privileges without interaction from a site administrator.

Recommendations For versions up to 4.1.9 (pro), update to a version that fixes this issue. For versions up to 2.0.6 (free), update to a version that fixes this issue. As a temporary workaround, consider restricting access to the Elementor page builder for lower-level users, such as contributors, to minimize the risk of exploitation.