Easy Elements for Elementor < 1.4.5 – Unauthenticated Privilege Escalation via easyel_handle_register | CVE 2026-7284

Description

The plugin is vulnerable to privilege escalation via user registration due to the 'easyel_handle_register' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.

Proof of Concept

The PoC will be displayed on June 24, 2026, to give users the time to update.

Affects Plugins

easy-elements

Fixed in 1.4.5

References

CVE

CVE-2026-7284

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/32b6ccfe-a659-41e4-9cec-146f4f910071

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-269

CVSS

9.8 (critical)

Miscellaneous

Original Researcher

Ankit Patel

Verified

Yes

WPVDB ID

be3d5432-8f8c-4d45-b6e7-de24352378a8

Timeline

Publicly Published

2026-05-19 (about 2 days ago)

Added

2026-05-19 (about 1 day ago)

Last Updated

2026-05-20 (about 1 hour ago)

Other

Published

Title

Published

2026-01-21

Title

LA-Studio Element Kit for Elementor < 1.6.0 - Unauthenticated Privilege Escalation via Backdoor to Administrative User Creation via lakit_bkrole parameter

Published

2025-10-16

Title

Voice Feedback < 2.0.0 - Subscriber+ Privilege Escalation

Published

2019-12-30

Title

Photo Gallery – Image Gallery by Ape <= 2.0.6 - Authenticated Arbitrary Plugin Deactivation

Published

2026-02-18

Title

Buyent Theme (with Buyent Classified Plugin) <= 1.0.7 - Unauthenticated Privilege Escalation via User Registration

Published

2025-02-28

Title

Nokri < 1.6.3 - Unauthenticated Arbitrary Password Change