Easy Elements for Elementor Plugin Privilege Escalation (CVE-2026-9018)

The Easy Elements for Elementor – Addons & Website Templates plugin, versions 1.4.5 and below, contains a critical vulnerability (CVE-2026-9018) that allows unauthenticated attackers to gain administrator privileges on a WordPress site. This vulnerability stems from the easyel_handle_register() function, specifically within the wp_ajax_nopriv_eel_register AJAX handler. The handler fails to properly sanitize or validate the custom_meta POST array during user registration. An attacker can inject arbitrary key-value pairs into the user’s metadata, including the wp_capabilities key, effectively granting themselves administrator access. This exploit requires user registration to be enabled and the presence of the Login/Register widget on at least one page to expose the easy_elements_nonce.

Attack Chain

1. The attacker identifies a WordPress site with the Easy Elements for Elementor plugin (<= 1.4.5) installed and user registration enabled.
2. The attacker accesses a page containing the Login/Register widget.
3. The attacker retrieves the easy_elements_nonce value from the page’s HTML source code via a GET request.
4. The attacker crafts a malicious POST request to wp-admin/admin-ajax.php with the action set to eel_register.
5. The POST request includes user registration details (username, email, password) and a custom_meta array containing wp_capabilities[administrator]=1.
6. The wp_ajax_nopriv_eel_register AJAX handler processes the request, creating a new user account using wp_insert_user().
7. The handler then iterates through the custom_meta array, using update_user_meta() to write the attacker-supplied wp_capabilities value to the newly created user’s metadata, overwriting the default role.
8. The attacker logs in with the newly created account and now has full administrator privileges on the WordPress site.

Impact

Successful exploitation of CVE-2026-9018 grants unauthenticated attackers complete control over the affected WordPress website. This includes the ability to modify content, install malicious plugins, create new administrator accounts, access sensitive data, and potentially compromise the underlying server. The vulnerability poses a significant risk to any WordPress site using the vulnerable plugin versions where user registration is enabled.

Recommendation

• Immediately update the Easy Elements for Elementor – Addons & Website Templates plugin to the latest version to patch CVE-2026-9018.
• As a preventative measure, disable user registration on WordPress sites if it is not a required feature.
• Deploy the Sigma rule “Detect CVE-2026-9018 Exploitation Attempt via User Registration” to monitor for malicious user registration requests with manipulated wp_capabilities.
• Review user accounts for unexpected administrator privileges and investigate any anomalies.