CVE-2026-9018

Name of the Vulnerable Software and Affected Versions Easy Elements for Elementor – Addons & Website Templates versions prior to 1.4.6

Description An issue exists in the easyel handle register() function where the wp ajax nopriv eel register AJAX handler processes the custom meta POST array. The handler writes all supplied key-value pairs to the new user's meta using update user meta() without utilizing a whitelist or blocklist. This allows an unauthenticated attacker to overwrite the wp capabilities user meta key after a safe role has been assigned by wp insert user(). By providing custom meta[wp capabilities][administrator]=1, an attacker can register an account with full administrator privileges. This requires user registration to be enabled and a page to expose the Login/Register widget, which reveals the easy elements nonce in the page DOM.

Recommendations Update the plugin to a version later than 1.4.5. As a temporary workaround, disable user registration on the site or remove the Login/Register widget from all pages to prevent the exposure of the easy elements nonce and the use of the registration handler.