CVE-2026-5193: Privilege Escalation in Essential Addons for Elementor
Plattform
wordpress
Komponente
essential-addons-for-elementor-lite
Behoben in
6.6.0
CVE-2026-5193 describes a privilege escalation vulnerability discovered in the Essential Addons for Elementor plugin, a popular WordPress extension. This flaw allows authenticated attackers with author-level access or higher to create new user accounts with elevated privileges, such as the 'editor' role. The vulnerability impacts versions 0.0.0 through 6.5.13 of the plugin, and a fix is available in version 6.6.0.
Erkenne diese CVE in deinem Projekt
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Auswirkungen und Angriffsszenarien
The primary impact of CVE-2026-5193 is the potential for unauthorized privilege escalation within a WordPress site. An attacker, already possessing author or higher access, can exploit this vulnerability to create new user accounts with editor or administrator privileges. This grants them the ability to modify content, install plugins, change site settings, and potentially compromise the entire WordPress installation. The blast radius extends to any data accessible by users with editor or administrator roles, including sensitive information stored in the database or accessible through plugins. While not directly comparable to a remote code execution vulnerability, the ability to gain elevated privileges can be a stepping stone to further compromise.
Ausnutzungskontext
CVE-2026-5193 is currently not listed on KEV (Known Exploited Vulnerabilities) as of the publication date. The EPSS (Exploit Prediction Scoring System) score is pending evaluation. There are no publicly available proof-of-concept (POC) exploits at this time. The vulnerability was published on 2026-05-14, so active exploitation is unlikely but possible. Monitor WordPress security forums and threat intelligence feeds for any indications of exploitation.
Bedrohungsanalyse
Exploit-Status
CISA SSVC
CVSS-Vektor
Was bedeuten diese Metriken?
- Attack Vector
- Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
- Attack Complexity
- Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
- Privileges Required
- Niedrig — jedes gültige Benutzerkonto ist ausreichend.
- User Interaction
- Keine — automatischer und lautloser Angriff. Das Opfer tut nichts.
- Scope
- Unverändert — Auswirkung auf das anfällige Komponente beschränkt.
- Confidentiality
- Keine — kein Vertraulichkeitseinfluss.
- Integrity
- Hoch — Angreifer kann beliebige Daten schreiben, ändern oder löschen.
- Availability
- Keine — kein Verfügbarkeitseinfluss.
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserviert
- Veröffentlicht
Mitigation und Workarounds
The primary mitigation for CVE-2026-5193 is to immediately upgrade the Essential Addons for Elementor plugin to version 6.6.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting user creation privileges within WordPress. This can be achieved through a plugin that limits the roles available for new user registration. Additionally, review existing user accounts for any suspicious activity. After upgrading, verify the fix by attempting to create a new user account with a role other than 'subscriber' while logged in as a user with author privileges; the attempt should be rejected.
So beheben
Aktualisieren Sie auf Version 6.6.0 oder eine neuere gepatchte Version
Häufig gestellte Fragen
What is CVE-2026-5193 — Privilege Escalation in Essential Addons for Elementor?
CVE-2026-5193 is a medium severity vulnerability affecting Essential Addons for Elementor versions 0.0.0–6.5.13. It allows authenticated users with author access to create new users with elevated privileges like editor.
Am I affected by CVE-2026-5193 in Essential Addons for Elementor?
You are affected if your WordPress site uses Essential Addons for Elementor version 0.0.0 through 6.5.13. Check your plugin version and upgrade immediately if vulnerable.
How do I fix CVE-2026-5193 in Essential Addons for Elementor?
Upgrade Essential Addons for Elementor to version 6.6.0 or later. If immediate upgrade is not possible, restrict user creation privileges as a temporary workaround.
Is CVE-2026-5193 being actively exploited?
As of the publication date, there are no known public exploits or active campaigns targeting CVE-2026-5193, but monitoring is recommended.
Where can I find the official Essential Addons for Elementor advisory for CVE-2026-5193?
Refer to the official Essential Addons for Elementor website and WordPress plugin repository for the latest security advisory and update information regarding CVE-2026-5193.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Erkenne diese CVE in deinem Projekt
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Scannen Sie jetzt Ihr WordPress-Projekt – kein Konto
Laden Sie ein Manifest hoch (composer.lock, package-lock.json, WordPress Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/email-Benachrichtigungen, Multi-Projekt- und White-Label-Berichte.
Abhängigkeitsdatei hier ablegen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...