CVE-2026-15155
wpdevteam · Essential Addons for Elementor
The Essential Addons for Elementor plugin for WordPress is vulnerable to an authenticated account takeover via email header injection.
Executive summary
An authenticated account takeover vulnerability in the Essential Addons for Elementor plugin allows malicious actors to compromise user accounts.
Vulnerability
The plugin contains a weak password recovery mechanism (CWE-640) that is susceptible to email header injection. This allows an authenticated user to manipulate system processes to perform an account takeover.
Business impact
With a CVSS score of 8.8, this vulnerability poses a severe threat to WordPress site integrity. Successful exploitation could lead to full administrative account takeover, unauthorized data access, and complete site compromise, significantly impacting organizational security and user trust.
Remediation
Immediate Action: Update the "Essential Addons for Elementor" plugin to the latest available patched version immediately.
Proactive Monitoring: Audit WordPress user account activity and monitor for suspicious password reset requests or unexpected changes to administrative privileges.
Compensating Controls: Implement a Web Application Firewall (WAF) with rules configured to detect and block malicious email header injection attempts.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the potential for complete account takeover, this vulnerability should be treated as a high-priority incident. Site administrators must verify their current plugin version and apply the vendor-supplied update immediately to prevent unauthorized access.