CVE-2026-4326 in Vertex Addons for Elementor Lets Subscribers Install Arbitrary Plugins
Contents
On April 8, 2026, CVE-2026-4326 was published against the WordPress Elementor add-on plugin Vertex Addons for Elementor. CVSS 3.1 score 8.8 (HIGH), CWE-862 (Missing Authorization). Any authenticated user at Subscriber level or above can install and activate arbitrary plugins, which makes the attack surface wide on any site that has open member registration. Wordfence discovered the bug and has it listed in their vulnerability database.
On the WordPress ecosystem side, things like ACF 6.8 becoming an agent-drivable surface through the Abilities API are moving forward on the legitimate side. This CVE is the opposite — a third-party add-on’s implementation mistake getting stepped on. It’s a textbook case of “Elementor core is fine, but a sub-plugin has a hole.” For KEV activity this month, see also the seven CVEs added on April 13.
Vulnerability Summary
| Field | Value |
|---|---|
| CVE ID | CVE-2026-4326 |
| CWE | CWE-862 (Missing Authorization) |
| CVSS 3.1 | 8.8 HIGH |
| Attack Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Affected versions | Vertex Addons for Elementor <= 1.6.4 |
| Fixed version | 1.6.5 |
| Published | 2026-04-08 (last modified 2026-04-13) |
| Discovered by | Wordfence |
Reading the vector: network-reachable (AV:N), low attack complexity (AC:L), low privileges required (PR:L), no user interaction needed (UI:N), and high impact on confidentiality, integrity, and availability. In short, if the attacker has a Subscriber-level account, they can hit the plugin API directly from outside and install whatever plugin they want.
What Vertex Addons for Elementor Is
Vertex Addons for Elementor is an Elementor add-on bundle plugin distributed by Webilia. The marketing copy lists “43 essential free widgets” — news ticker, testimonial carousel, countdown, and the usual cast of page-builder parts.
It’s in the same lineage as “Essential Addons,” “Happy Addons,” and “Royal Addons” — add-on bundles that supplement Elementor core with extra widgets. The Elementor add-on space has a glut of plugins like this: individual install counts aren’t huge, but somewhere on the internet every one of them is actively running.
The Bug
The problem sits in the activate_required_plugins() function’s authorization check. WordPress normally gates plugin install and activation via current_user_can('install_plugins'), but Vertex’s implementation looked roughly like this (conceptual).
public function activate_required_plugins() {
$response = [];
if ( ! current_user_can( 'install_plugins' ) ) {
$response['error'] = 'Permission denied.';
// ← no return here
}
// these run even for Subscriber-level users
$this->install_plugin( $_POST['plugin_slug'] );
$this->activate_plugin( $_POST['plugin_slug'] );
wp_send_json( $response );
}It does check current_user_can() and writes an error string into a variable, but it never calls return, wp_die(), or wp_send_json_error(). Execution falls through into install_plugin() and activate_plugin(). The response contains the “Permission denied” JSON, but by the time it’s sent, the install and activation have already happened.
Textbook CWE-862 — the check is there, but the branch on the check’s result isn’t. Easy to miss in code review.
What Subscriber Access Gets an Attacker
A WordPress Subscriber is the bottom rung of authenticated users — they can basically just edit their own profile. Sites routinely hand out Subscriber accounts for comment-posting registration, WooCommerce purchaser accounts, and members-only reading accounts. Getting one is generally trivial.
The attack chain this CVE enables is straight-line.
flowchart TD
A[Login as Subscriber] --> B[Call vulnerable activate_required_plugins]
B --> C[Specify arbitrary plugin slug]
C --> D[Plugin is installed and activated]
D --> E[Drop a known-vulnerable or backdoored plugin]
E --> F[Admin takeover / RCE / site defacement]The key point is that a Subscriber can pull down any plugin from the official WordPress.org repository. An attacker can deliberately install a plugin with a publicly known, still-unpatched vulnerability and use it as a launching pad for unauthenticated RCE or privilege escalation. From there, admin account takeover and malware placement follow in a straight line. CVSS 8.8 HIGH reflects this chain.
What Site Operators Should Do
If you’re managing a site that has this plugin installed, here’s the checklist.
- Update to 1.6.5 or later immediately. If
wp-admin > Pluginsshows the update, it should be the first thing you apply - If you can’t update quickly, deactivate or remove the plugin. As long as the vulnerable version is live, the attack surface is open
- Confirm whether new user registration is disabled. Subscriber access is enough to exploit this, so if registration is open for commenting, treat it as high-risk
- Scan access logs for suspicious requests hitting
admin-ajax.phpwithaction=activate_required_plugins - If Wordfence is installed, verify the auto-rule update. Wordfence’s firewall rules ship in sync with CVEs like this — immediately for Pro, within 30 days for Free
On sites that already have a large Subscriber pool (membership, e-commerce, community), an account audit is worth doing even after the patch. Check whether any accounts have silently escalated to Administrator or Editor, and scan recent posts and plugin-update logs for anything unfamiliar.
Vertex Addons for Elementor itself is a minor-tier plugin, but the Elementor add-on ecosystem relies on third-party add-on plugins at the widget level, and the same class of bug will keep surfacing. Removing add-ons you aren’t actually using is still the most reliable preventive measure.
References:
- NVD: CVE-2026-4326 —
https://nvd.nist.gov/vuln/detail/CVE-2026-4326 - Wordfence threat intelligence —
https://www.wordfence.com/threat-intel/vulnerabilities/id/1bb409f0-ccbd-4dfa-b097-b29ee539daa3?source=cve - WP-Doctor: Addons for Elementor Builder Exploit —
https://wp-doctor.jp/blog/vulnerabilities/addons-for-elementor-builder-exploit-cve-2026-4326/