CVE-2026-7284 themewant CVE debrief

Who should care

WordPress site administrators using Easy Elements for Elementor plugin versions ≤1.4.4; security teams managing WordPress installations; hosting providers with shared WordPress environments

Technical summary

The vulnerability exists in the `easyel_handle_register` function within the Easy Elements for Elementor plugin. The function processes user registration requests without validating or restricting the `role` parameter, allowing attackers to inject arbitrary WordPress role values. By supplying 'administrator' as the role during registration, unauthenticated attackers gain full administrative control of the WordPress installation. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H reflects network attack vector, low complexity, no privileges required, no user interaction, and high impact across confidentiality, integrity, and availability.

Defensive priority

critical

Recommended defensive actions

• Immediately update Easy Elements for Elementor plugin to version 1.4.5 or later
• Review WordPress user accounts for unauthorized administrator accounts created since plugin installation
• Implement temporary access controls or web application firewall rules to restrict registration endpoints if patching is delayed
• Audit site configuration and plugin permissions for additional hardening
• Consider disabling user registration functionality if not required for site operation

Evidence notes

Vulnerability confirmed via Wordfence security advisory and WordPress plugin repository code review. The affected function `easyel_handle_register` in `class.login-register.php` at line 62 (version 1.4.0) lacks role validation. Patch committed in changeset 3534530.

Official resources