CVE-2026-2386

Name of the Vulnerable Software and Affected Versions The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress versions through 6.4.7

Description The software contains an authorization flaw. The tpae create page() AJAX handler only verifies that users have the 'edit posts' capability, but it directly uses a user-supplied post type value in the wp insert post() function without checking for post-type-specific permissions. This allows authenticated attackers with Author-level access or higher to create draft posts for restricted post types, such as 'page' and 'nxt builder', by manipulating the post type parameter.

Recommendations Update The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress to a version later than 6.4.7.