Authorization Flaw in Plus Addons for Elementor Plugin by WordPress
CVE-2026-2386

4.3MEDIUM

Key Information:

Vendor

WordPress
Status
The Plus Addons For Elementor – Addons For Elementor, Page Templates, Widgets, Mega Menu, WooCommerce
Vendor
CVE Published:
18 February 2026

What is CVE-2026-2386?

The Plus Addons for Elementor plugin for WordPress is susceptible to an Incorrect Authorization vulnerability. This issue arises from the tpae_create_page() AJAX handler, which permits user actions based solely on the current_user_can('edit_posts') capability without performing necessary checks for specific post types. This flaw allows authenticated attackers with Author-level access or higher to exploit the 'post_type' parameter, enabling them to create arbitrary draft posts for restricted post types, including 'page' and 'nxt_builder'. This presents a significant risk to site owners, as it can lead to unauthorized content creation and manipulation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce * <= 6.4.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset/3463156/the-...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dmitrii Ignatyev
JSON
.