CVE-2026-15155

wpdevteam · Essential Addons for Elementor

The Essential Addons for Elementor plugin for WordPress is vulnerable to an authenticated account takeover via email header injection.

Executive summary

An authenticated account takeover vulnerability in the Essential Addons for Elementor plugin allows malicious actors to compromise user accounts.

Vulnerability

The plugin contains a weak password recovery mechanism (CWE-640) that is susceptible to email header injection. This allows an authenticated user to manipulate system processes to perform an account takeover.

Business impact

With a CVSS score of 8.8, this vulnerability poses a severe threat to WordPress site integrity. Successful exploitation could lead to full administrative account takeover, unauthorized data access, and complete site compromise, significantly impacting organizational security and user trust.

Remediation

Immediate Action: Update the "Essential Addons for Elementor" plugin to the latest available patched version immediately.

Proactive Monitoring: Audit WordPress user account activity and monitor for suspicious password reset requests or unexpected changes to administrative privileges.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules configured to detect and block malicious email header injection attempts.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the potential for complete account takeover, this vulnerability should be treated as a high-priority incident. Site administrators must verify their current plugin version and apply the vendor-supplied update immediately to prevent unauthorized access.