PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-25440 WPDeveloper CVE debrief

CVE-2026-25440 is a MEDIUM severity vulnerability (CVSS Score 5.3) affecting Essential Addons for Elementor versions prior to 6.6.0. The vulnerability is characterized as Unauthenticated Broken Access Control.

Vendor
WPDeveloper
Product
Essential Addons for Elementor
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-15
Original CVE updated
2026-06-15
Advisory published
2026-06-15
Advisory updated
2026-06-15

Who should care

Users of Essential Addons for Elementor versions prior to 6.6.0 should apply patches or mitigations as available.

Technical summary

The vulnerability (CVE-2026-25440) is caused by Unauthenticated Broken Access Control in Essential Addons for Elementor versions prior to 6.6.0. The Common Vulnerability Scoring System (CVSS) score is 5.3, indicating a MEDIUM severity level. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N.

Defensive priority

This vulnerability is considered a MEDIUM severity issue. Users are advised to update to version 6.6.0 or later of Essential Addons for Elementor.

Recommended defensive actions

  • Update Essential Addons for Elementor to version 6.6.0 or later.
  • Refer to [ref-4](https://patchstack.com/database/wordpress/plugin/essential-addons-for-elementor-lite/vulnerability/wordpress-essential-addons-for-elementor-plugin-6-5-13-broken-access-control-vulnerability?_s_id=cve) or
  • Check the official CVE record at [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-25440) and
  • View details on the NVD at [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-25440).

Evidence notes

Evidence suggests that this vulnerability was reported by Patchstack ([email protected]) and is related to CWE-862.

Official resources

CVE-2026-25440 was published on 2026-06-15T21:16:40.410Z and modified on 2026-06-15T21:24:32.790Z.