Easy Elements for Elementor – Addons & Website Templates Plugin — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/easy-elements-for-elementor--addons--website-templates-plugin/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 20 May 2026 02:18:13 +0000CVE-2026-7284 - Easy Elements for Elementor WordPress Plugin Privilege Escalationhttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-7284-wordpress-privesc/Wed, 20 May 2026 02:18:13 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-7284-wordpress-privesc/The Easy Elements for Elementor plugin for WordPress is vulnerable to privilege escalation (CVE-2026-7284) due to unrestricted user role assignment during registration, allowing unauthenticated attackers to gain administrator access.The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress, versions up to and including 1.4.4, contains a privilege escalation vulnerability (CVE-2026-7284). The vulnerability resides in the ’easyel_handle_register’ function, which fails to properly validate or restrict user roles assigned during registration. This oversight allows unauthenticated attackers to register new accounts with administrative privileges, effectively granting them full control over the affected WordPress site. The vulnerability was reported by Wordfence.

Attack Chain

  1. An unauthenticated attacker sends a registration request to the WordPress site.
  2. The registration request is directed to the ’easyel_handle_register’ function within the Easy Elements for Elementor plugin.
  3. The attacker includes the ‘administrator’ role in the registration data.
  4. The ’easyel_handle_register’ function processes the registration request without proper validation of the requested user role.
  5. A new user account is created with the ‘administrator’ role.
  6. The attacker logs in to the WordPress site using the newly created administrator account.
  7. The attacker has complete control over the WordPress site.

Impact

Successful exploitation of CVE-2026-7284 allows unauthenticated attackers to gain full administrative control over a WordPress website. This could lead to complete compromise, including arbitrary code execution via plugin or theme modification, data exfiltration, defacement, or denial of service. Given the widespread use of WordPress and the Elementor plugin, a large number of websites are potentially vulnerable.

Recommendation

  • Upgrade the Easy Elements for Elementor – Addons & Website Templates plugin to the latest version, which contains a fix for CVE-2026-7284.
  • Deploy the Sigma rule Detect WordPress Administrator Registration to identify registration attempts with the administrator role.
  • Monitor WordPress user registration logs for suspicious activity and unexpected administrator account creation.
]]>criticaladvisoryprivilege-escalationwordpresscve-2026-7284