Unauthenticated Privilege Escalation in Easy Elements for Elementor – Addons & Website Templates <= 1.4.9 versions.
The vulnerability results from improper permission management (CWE-266) in the plugin code. An attacker without any account in the WordPress system can send an appropriately crafted network request and obtain a higher level of access than they are entitled to. The lack of identity verification mechanisms and access control allows privilege escalation from the network level without any authorization.
Attackers can gain elevated privileges in the WordPress system, which may consequently lead to complete takeover of the website, content modification, data theft, or installation of malicious software.
The Easy Elements for Elementor plugin should be updated immediately to a version higher than 1.4.9. Details regarding the patch are available in the Patchstack database and in the WordPress plugin repository.
Easy Elements for Elementor – Addons & Website Templates plugin in versions up to and including 1.4.9.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H