CVE-2026-4326 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: April 9, 2026
Vertex Addons for Elementor - Broken Access Control
Published: April 9, 2026Updated: April 9, 2026Remote Exploitable
Overview
Vertex Addons for Elementor <= 1.6.4 contains a broken access control caused by improper authorization enforcement in activate_required_plugins() function, letting authenticated attackers with Subscriber-level access install and activate arbitrary plugins.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Authenticated attackers with Subscriber-level access can install and activate arbitrary plugins, potentially compromising the WordPress site.
Mitigation
Update to the latest version beyond 1.6.4.
References
- https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/tags/1.6.4/app/Ajax.php#L232
- https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/tags/1.6.4/app/Ajax.php#L264
- https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/trunk/app/Ajax.php#L232
- https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/trunk/app/Ajax.php#L278
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1bb409f0-ccbd-4dfa-b097-b29ee539daa3?source=cve
- https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/tags/1.6.4/app/Ajax.php#L229
- https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/tags/1.6.4/app/Ajax.php#L278
- https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/trunk/app/Ajax.php#L229
- https://plugins.trac.wordpress.org/browser/addons-for-elementor-builder/trunk/app/Ajax.php#L264
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3491143%40addons-for-elementor-builder&new=3491143%40addons-for-elementor-builder&sfp_email=&sfph_mail=
Related Resources
Details
- CVE ID
- CVE-2026-4326
- Severity
- High
- CVSS Score
- 8.8
- Type
- broken_access_control
- Status
- new
CWE
- CWE-862
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H