WordPress Plugin Vulnerabilities

Essential Addons for Elementor < 6.5.6 - Unauthenticated Sensitive Information Exposure

Description

The plugin is vulnerable to Sensitive Information Exposure via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted.

Affects Plugins

Plugin icon
essential-addons-for-elementor-lite
Fixed in 6.5.6

References

CVE
CVE-2026-1004
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/06ef9a21-e2b9-40c7-9de5-cff175fa10a5

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
shrikant bhosale
Verified
No
WPVDB ID
b3ed1952-c42e-445d-88c6-4167a5c257db

Timeline

Publicly Published
2026-01-15 (about 3 months ago)
Added
2026-01-16 (about 3 months ago)
Last Updated
2026-01-16 (about 3 months ago)

Other

Published
Title
Published
2025-05-16
Title
Eventer <= 3.9.6 - Missing Authorization
Published
2024-12-11
Title
Awesome Support < 6.3.2 - Missing Authorization
Published
2025-06-04
Title
Icegram Collect – Easy Form, Lead Collection and Subscription plugin < 1.3.19 - Missing Authorization
Published
2024-03-28
Title
MP3 Audio Player for Music, Radio & Podcast by Sonaar < 5.1.1 - Missing Authorization
Published
2024-08-26
Title
JobSearch < 2.5.6 - Missing Authorization