{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4326", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-17T13:09:41.727Z", "datePublished": "2026-04-09T01:25:55.660Z", "dateUpdated": "2026-04-09T13:50:45.630Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-09T01:25:55.660Z"}, "affected": [{"vendor": "webilia", "product": "Vertex Addons for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.6.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Vertex Addons for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. This is due to improper authorization enforcement in the activate_required_plugins() function. Specifically, the current_user_can('install_plugins') capability check does not terminate execution when it fails \u2014 it only sets an error message variable while allowing the plugin installation and activation code to execute. The error response is only sent after the installation and activation have already completed. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins from the WordPress."}], "title": "Vertex Addons for Elementor <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation via 'afeb_activate_required_plugins'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1bb409f0-ccbd-4dfa-b097-b29ee539daa3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/trunk/app/Ajax.php#L264"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/tags/1.6.4/app/Ajax.php#L264"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/trunk/app/Ajax.php#L278"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/tags/1.6.4/app/Ajax.php#L278"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/trunk/app/Ajax.php#L229"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/tags/1.6.4/app/Ajax.php#L229"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/trunk/app/Ajax.php#L232"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/tags/1.6.4/app/Ajax.php#L232"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3491143%40addons-for-elementor-builder&new=3491143%40addons-for-elementor-builder&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2026-03-23T23:52:28.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-08T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T13:50:00.630747Z", "id": "CVE-2026-4326", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T13:50:45.630Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4326", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T13:50:00.630747Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T13:50:22.455Z"}}], "cna": {"title": "Vertex Addons for Elementor <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation via 'afeb_activate_required_plugins'", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "webilia", "product": "Vertex Addons for Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.6.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-23T23:52:28.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-08T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1bb409f0-ccbd-4dfa-b097-b29ee539daa3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/trunk/app/Ajax.php#L264"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/tags/1.6.4/app/Ajax.php#L264"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/trunk/app/Ajax.php#L278"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/tags/1.6.4/app/Ajax.php#L278"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/trunk/app/Ajax.php#L229"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/tags/1.6.4/app/Ajax.php#L229"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/trunk/app/Ajax.php#L232"}, {"url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/tags/1.6.4/app/Ajax.php#L232"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3491143%40addons-for-elementor-builder&new=3491143%40addons-for-elementor-builder&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Vertex Addons for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. This is due to improper authorization enforcement in the activate_required_plugins() function. Specifically, the current_user_can('install_plugins') capability check does not terminate execution when it fails \u2014 it only sets an error message variable while allowing the plugin installation and activation code to execute. The error response is only sent after the installation and activation have already completed. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins from the WordPress."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-09T01:25:55.660Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4326", "state": "PUBLISHED", "dateUpdated": "2026-04-09T13:50:45.630Z", "dateReserved": "2026-03-17T13:09:41.727Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-09T01:25:55.660Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Vertex Addons for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. This is due to improper authorization enforcement in the activate_required_plugins() function. Specifically, the current_user_can('install_plugins') capability check does not terminate execution when it fails \u2014 it only sets an error message variable while allowing the plugin installation and activation code to execute. The error response is only sent after the installation and activation have already completed. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins from the WordPress."}], "id": "CVE-2026-4326", "lastModified": "2026-04-24T18:04:28.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-09T02:16:16.530", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/tags/1.6.4/app/Ajax.php#L229"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/tags/1.6.4/app/Ajax.php#L232"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/tags/1.6.4/app/Ajax.php#L264"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/tags/1.6.4/app/Ajax.php#L278"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/trunk/app/Ajax.php#L229"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/trunk/app/Ajax.php#L232"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/trunk/app/Ajax.php#L264"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/trunk/app/Ajax.php#L278"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3491143%40addons-for-elementor-builder&new=3491143%40addons-for-elementor-builder&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1bb409f0-ccbd-4dfa-b097-b29ee539daa3?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.6.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Vertex Addons for Elementor", "source": "cna", "vendor": "webilia"}, "product": "vertex_addons_for_elementor", "vendor": "webilia"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-09T03:51:27.678368+00:00", "value": {"mitigation_remediation": ["Upgrade Vertex Addons for Elementor to the latest version that contains the fix. ", "Verify that the activate_required_plugins function now correctly exits when current_user_can('install_plugins') fails; if not, patch the code manually to enforce the capability check. ", "Restrict the install_plugins capability to administrators only by reviewing user role settings and ensuring Subscribers cannot install or activate plugins. ", "If an immediate update is not possible, temporarily disable the plugin\u2019s AJAX endpoint or remove the afeb_activate_required_plugins action to block exploitation. ", "Monitor the site for unexpected plugin installations and review installed plugins for malicious code."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized arbitrary plugin installation and activation by authenticated users, enabling potential remote code execution"}, "threat_synthesis": {"affected_systems": "WordPress installations that have the Vertex Addons for Elementor plugin from the vendor Webilia, specifically all releases version 1.6.4 and earlier. Site administrators should verify that the plugin is not running the vulnerable code and review any unexpected plugin additions.", "description_and_impact": "A flaw in Vertex Addons for Elementor up to version 1.6.4 allows any authenticated user with a Subscriber role or higher to install and activate arbitrary WordPress plugins through the activate_required_plugins function. The function performs a capability check that does not terminate the operation when the check fails, which leads to plugin installation and activation even for unauthorized users. This design flaw permits the introduction of malicious plugins that can execute arbitrary code, compromising confidentiality, integrity, and availability of the WordPress site.", "risk_and_exploitability": "The vulnerability has a CVSS base score of 8.8, indicating high severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, but it can be exploited by any authenticated user who can reach the plugin\u2019s AJAX endpoint. Based on the description, the attacker can submit crafted HTTP requests to the afeb_activate_required_plugins action to trigger arbitrary plugin installation and activation, leading to potential remote code execution."}}}}, "created": "2026-04-09T08:15:53.513681+00:00", "updated": "2026-04-09T08:25:19.818696+00:00", "vendors": ["webilia", "webilia$PRODUCT$vertex_addons_for_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}