PatchSiren cyber security CVE debrief
CVE-2026-45443 ADD-ONS.ORG CVE debrief
CVE-2026-45443 is a missing authorization issue described as broken access control in PDF for Elementor Forms + Drag And Drop Template Builder. The record says affected versions run from n/a through 5.5.1, and the NVD entry maps it to CWE-862 with a network-reachable, low-privilege attack path.
- Vendor
- ADD-ONS.ORG
- Product
- PDF for Elementor Forms + Drag And Drop Template Builder
- CVSS
- MEDIUM 5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
Site owners, WordPress administrators, and security teams running PDF for Elementor Forms + Drag And Drop Template Builder, especially where untrusted or lower-privileged users can access the site backend or plugin features. This is also relevant to teams that rely on access-control assumptions for form-to-PDF workflows.
Technical summary
The NVD record describes the issue as a Missing Authorization / Broken Access Control weakness (CWE-862). The CVSS vector is AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N, which indicates a remotely reachable problem that requires only low privileges and can affect integrity with scope change. The source reference points to a Patchstack advisory for the plugin, while NVD lists the vulnerability status as Deferred.
Defensive priority
Medium to high for any internet-facing site using the affected plugin. The issue is not rated critical, but authorization failures can expose administrative or content-integrity paths that are easy to miss in review.
Recommended defensive actions
- Inventory any installations of PDF for Elementor Forms + Drag And Drop Template Builder and confirm whether versions through 5.5.1 are present.
- Apply the vendor or advisory guidance as soon as a fixed version is available; if the plugin is not needed, disable or remove it.
- Review role-based access controls for plugin-related workflows and confirm that low-privileged users cannot reach sensitive actions.
- Check logs and recent administrative changes for unexpected content or configuration changes tied to the plugin.
- Monitor the Patchstack advisory and official CVE/NVD entries for remediation updates, since the NVD record currently shows the vulnerability status as Deferred.
Evidence notes
Source data identifies the weakness as Missing Authorization and maps it to CWE-862. NVD’s CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N, supporting a network-reachable issue requiring low privileges. The affected range is listed as from n/a through 5.5.1. NVD also marks the vuln status as Deferred and cites the Patchstack advisory URL as its reference.
Official resources
-
CVE-2026-45443 CVE record
CVE.org
-
CVE-2026-45443 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE published at 2026-05-20T13:16:36.267Z and modified at 2026-05-20T13:54:54.890Z. The supplied source record shows the same publication and modification timestamps, and no KEV listing is indicated.