PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15155 wpdevteam CVE debrief

The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and including, 6.6.10. This vulnerability allows authenticated attackers, with Contributor-level access and above, to inject an additional Bcc header into the WordPress administrator's password-reset notification email, receive a copy of a valid administrator password-reset link, and achieve full administrator account takeover. The vulnerability is due to insufficient server-side validation of a Login/Register widget setting used to construct outgoing email headers. The allowed-values restriction is enforced only in the client-side editor UI and not on the server, and the applied sanitization does not strip or encode CR/LF characters, allowing CRLF sequences stored in that setting to survive into raw mail headers.

Vendor
wpdevteam
Product
Essential Addons for Elementor – Popular Elementor Templates & Widgets
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-11
Original CVE updated
2026-07-11
Advisory published
2026-07-11
Advisory updated
2026-07-11

Who should care

Administrators and users of the Essential Addons for Elementor plugin for WordPress should be aware of this vulnerability and take immediate action to protect their sites. This vulnerability affects users with Contributor-level access and above, and it is essential to restrict access to the Login/Register widget setting and implement additional security measures to prevent account takeover.

Technical summary

The vulnerability is due to insufficient server-side validation of a Login/Register widget setting used to construct outgoing email headers. The allowed-values restriction is enforced only in the client-side editor UI and not on the server, and the applied sanitization does not strip or encode CR/LF characters, allowing CRLF sequences stored in that setting to survive into raw mail headers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject an additional Bcc header into the WordPress administrator's password-reset notification email, receive a copy of a valid administrator password-reset link, and achieve full administrator account takeover.

Defensive priority

High

Recommended defensive actions

  • Update the Essential Addons for Elementor plugin to the latest version
  • Monitor for suspicious activity on your WordPress site
  • Restrict access to the Login/Register widget setting
  • Implement additional security measures to prevent account takeover
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-11T07:16:46.170Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and including, 6.6.10. The vulnerability is due to insufficient server-side validation of a Login/Register widget setting used to construct outgoing email headers.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T07:16:46.170Z and has not been modified since then.