PatchSiren cyber security CVE debrief
CVE-2026-15155 wpdevteam CVE debrief
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and including, 6.6.10. This vulnerability allows authenticated attackers, with Contributor-level access and above, to inject an additional Bcc header into the WordPress administrator's password-reset notification email, receive a copy of a valid administrator password-reset link, and achieve full administrator account takeover. The vulnerability is due to insufficient server-side validation of a Login/Register widget setting used to construct outgoing email headers. The allowed-values restriction is enforced only in the client-side editor UI and not on the server, and the applied sanitization does not strip or encode CR/LF characters, allowing CRLF sequences stored in that setting to survive into raw mail headers.
- Vendor
- wpdevteam
- Product
- Essential Addons for Elementor – Popular Elementor Templates & Widgets
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-11
- Original CVE updated
- 2026-07-11
- Advisory published
- 2026-07-11
- Advisory updated
- 2026-07-11
Who should care
Administrators and users of the Essential Addons for Elementor plugin for WordPress should be aware of this vulnerability and take immediate action to protect their sites. This vulnerability affects users with Contributor-level access and above, and it is essential to restrict access to the Login/Register widget setting and implement additional security measures to prevent account takeover.
Technical summary
The vulnerability is due to insufficient server-side validation of a Login/Register widget setting used to construct outgoing email headers. The allowed-values restriction is enforced only in the client-side editor UI and not on the server, and the applied sanitization does not strip or encode CR/LF characters, allowing CRLF sequences stored in that setting to survive into raw mail headers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject an additional Bcc header into the WordPress administrator's password-reset notification email, receive a copy of a valid administrator password-reset link, and achieve full administrator account takeover.
Defensive priority
High
Recommended defensive actions
- Update the Essential Addons for Elementor plugin to the latest version
- Monitor for suspicious activity on your WordPress site
- Restrict access to the Login/Register widget setting
- Implement additional security measures to prevent account takeover
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-11T07:16:46.170Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and including, 6.6.10. The vulnerability is due to insufficient server-side validation of a Login/Register widget setting used to construct outgoing email headers.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T07:16:46.170Z and has not been modified since then.