Missing Authorization Vulnerability in Vertex Addons for Elementor Plugin by WordPress
CVE-2026-4326

8.8HIGH

Key Information:

Vendor

WordPress
Status
Vertex Addons For Elementor
Vendor
CVE Published:
9 April 2026

What is CVE-2026-4326?

The Vertex Addons for Elementor plugin for WordPress is susceptible to a missing authorization vulnerability present in all versions up to and including 1.6.4. This vulnerability arises from inadequate authorization checks in the activate_required_plugins() function, where the capability check for 'install_plugins' does not halt execution on failure. As a result, an attacker with Subscriber-level or higher access can bypass plugin activation restrictions, allowing them to install and activate arbitrary plugins, potentially compromising the integrity of the WordPress site.

Affected Version(s)

Vertex Addons for Elementor 0 <= 1.6.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/addons-for-ele...
https://plugins.trac.wordpress.org/browser/addons-for-ele...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Athiwat Tiprasaharn
.