A critical privilege escalation flaw (CVSS 9.8) in the Easy Elements for Elementor WordPress plugin lets unauthenticated attackers register directly as administrators, granting full control of affected sites.
What Is It
CVE-2026-7284 is a privilege escalation vulnerability in the Easy Elements for Elementor – Addons & Website Templates plugin for WordPress. The flaw lives in the easyel_handle_register function, which fails to restrict what user roles can be supplied during registration. An unauthenticated attacker can submit a registration request that sets their own role to administrator, and the plugin honors it. The issue is classified as CWE-269 (Improper Privilege Management) and carries a CVSS 3.1 base score of 9.8 (Critical), with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, network-reachable, no privileges, no user interaction, and full impact to confidentiality, integrity, and availability.
Why It Matters
This is a one-shot remote site takeover. Any WordPress site running a vulnerable build of Easy Elements with registration reachable can be commandeered by an anonymous attacker who simply tampers with the registration form's role parameter. With administrator access, an attacker can install backdoored plugins, exfiltrate user data, deface or destroy content, pivot into hosting infrastructure, and conscript the site into malware-distribution or SEO-spam campaigns. Bulk exploitation against WordPress plugin flaws of this class is routine, and the lack of any authentication or interaction requirement makes mass scanning trivial.
What's Vulnerable
- Plugin: Easy Elements for Elementor – Addons & Website Templates (WordPress)
- Affected versions: All versions up to and including 1.4.4
- Vulnerable function:
easyel_handle_registerinwidgets/login-register/class.login-register.php
Patch Status
The vulnerable code was changed in Easy Elements changeset 3534530 (referenced in the WordPress plugin trac). Site operators running Easy Elements 1.4.4 or earlier should update to the fixed release immediately, audit user accounts for unexpected administrator-role users created during the exposure window, and rotate credentials and secrets if takeover is suspected. CISA KEV does not currently list CVE-2026-7284, so active exploitation has not been formally confirmed by KEV at the time of writing.