<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Essential Addons for Elementor – Popular Elementor Templates &amp; Widgets Plugin (&lt;= 6.6.10) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/essential-addons-for-elementor--popular-elementor-templates--widgets-plugin--6.6.10/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 11 Jul 2026 07:19:11 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/essential-addons-for-elementor--popular-elementor-templates--widgets-plugin--6.6.10/feed.xml" rel="self" type="application/rss+xml"/><item><title>Authenticated Account Takeover in Essential Addons for Elementor WordPress Plugin</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-15155/</link><pubDate>Sat, 11 Jul 2026 07:19:11 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-15155/</guid><description>A vulnerability (CVE-2026-15155) in the Essential Addons for Elementor WordPress plugin, specifically within its Login/Register widget, allows authenticated attackers with Contributor-level access or higher to achieve administrator account takeover by injecting an additional Bcc header into administrator password-reset notification emails.</description><content:encoded><![CDATA[<p>A critical vulnerability, tracked as CVE-2026-15155, has been identified in the Essential Addons for Elementor - Popular Elementor Templates &amp; Widgets plugin for WordPress, affecting all versions up to and including 6.6.10. This flaw enables authenticated attackers with Contributor-level privileges or higher to execute an administrator account takeover. The vulnerability stems from insufficient server-side validation of a Login/Register widget setting, which is used to construct outgoing email headers. While client-side UI enforces allowed values, the server-side processing lacks proper sanitization to strip or encode CR/LF characters. This allows attackers to embed CR/LF sequences into the setting, which then propagate into raw email headers. By injecting an additional Bcc header containing an attacker-controlled email address into the WordPress administrator's password-reset notification email, the attacker can intercept the password-reset link and gain full administrative control over the WordPress site. The CVSS v3.1 Base Score for this vulnerability is 8.8, indicating high severity.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated attacker with Contributor-level access or higher gains access to the WordPress dashboard.</li>
<li>The attacker navigates to and modifies a specific setting within the Login/Register widget of the Essential Addons for Elementor plugin.</li>
<li>The attacker injects Carriage Return (CR) and Line Feed (LF) characters (<code>%0D%0A</code> or similar encoding) into the vulnerable setting, followed by <code>Bcc: attacker@example.com</code>.</li>
<li>The WordPress administrator initiates a password reset for their account.</li>
<li>The WordPress system generates a password-reset notification email for the administrator.</li>
<li>Due to the vulnerability, the injected <code>Bcc</code> header from the modified widget setting is included in the raw email headers.</li>
<li>A copy of the password-reset notification email, including the unique reset link, is sent to the attacker's email address.</li>
<li>The attacker uses the intercepted password-reset link to change the administrator's password and subsequently log in as the administrator, achieving full account takeover.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-15155 leads to complete administrator account takeover on the affected WordPress site. This can result in severe consequences, including but not limited to, website defacement, arbitrary code execution (e.g., injecting malware or web shells), data theft, compromise of user databases, SEO spam injection, or use of the compromised website for further attacks against other systems. Organizations using the vulnerable plugin risk significant reputational damage, data breaches, and potential legal or compliance repercussions.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-15155 immediately by updating the &quot;Essential Addons for Elementor - Popular Elementor Templates &amp; Widgets&quot; plugin to a version greater than 6.6.10.</li>
<li>Review WordPress audit logs (if enabled) for unusual plugin setting modifications by Contributor-level users or lower, especially those related to email configurations.</li>
<li>Examine email logs for WordPress-generated password reset notifications that contain unexpected <code>Bcc</code> headers or are sent to unknown external email addresses.</li>
<li>Implement strong authentication measures and regularly audit user privileges to ensure least privilege access across all WordPress user accounts.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>web-application</category><category>cve</category><category>account-takeover</category><category>email-injection</category></item></channel></rss>