WordPress Plugin Vulnerabilities

Essential Addons for Elementor < 6.6.0 - Unauthenticated Missing Authorization

Description

The plugin is vulnerable to unauthorized access due to a missing capability check, allowing unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
essential-addons-for-elementor-lite
Fixed in 6.6.0

References

CVE
CVE-2026-25440
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a2552407-0b32-4129-b131-792305ed023e

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Que Thanh Tuan
Verified
No
WPVDB ID
4d12d6f5-4ca3-4cf7-985a-6e443550dbfa

Timeline

Publicly Published
2026-04-22 (about 22 days ago)
Added
2026-05-04 (about 10 days ago)
Last Updated
2026-05-04 (about 10 days ago)

Other

Published
Title
Published
2025-01-07
Title
ST Gallery WP <= 1.0.8 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Published
2024-04-29
Title
MailerLite – Signup forms (official) < 1.7.7 - Missing Authorization
Published
2024-08-16
Title
Clone < 2.4.6 - Missing Authorization
Published
2024-12-23
Title
PlugVersions – Easily rollback to previous versions of your plugins < 0.0.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Creation
Published
2024-02-05
Title
Royal Elementor Kit < 1.0.117 - Missing Authorization to Arbitrary Transient Update