Introduction
An unrestricted role parameter in a WordPress plugin's registration handler is one of the most direct paths to full site compromise, and that is exactly what CVE-2026-7284 delivers. The Easy Elements for Elementor plugin, in all versions through 1.4.4, allows unauthenticated users to register accounts with the administrator role by simply modifying a single POST parameter.
Easy Elements for Elementor is a WordPress plugin by "themewant" that provides addons and website templates extending the Elementor page builder. WPScan reports approximately 1,000 active installations. While the install base is modest, the plugin's integration with Elementor (one of the most widely used WordPress page builders) places it in a broader ecosystem where similar addon plugins are frequently deployed.
Technical Information
The vulnerability is rooted in CWE-269 (Improper Privilege Management) within the easyel_handle_register function, located in the plugin's registration widget handler at widgets/login-register/class.login-register.php. The source code, visible on the WordPress Plugin Repository at the referenced trac link for version 1.4.0, reveals that the plugin's registration form includes a hidden input field for the user role. The backend handler reads this role value directly from the incoming POST request and passes it to the WordPress user creation process without any validation.
There is no allowlist of permitted roles, no check against the WordPress default role setting, and no restriction to prevent a user from supplying privileged roles such as administrator. This means the server trusts the client to provide a safe role value, which is a fundamental access control failure.
Attack Flow
The exploitation sequence is as follows:
- An attacker locates a WordPress site running Easy Elements for Elementor version 1.4.4 or earlier. The site must expose a registration form powered by the plugin's login/register widget.
- The attacker inspects the registration form and identifies the hidden input field that carries the role parameter, or simply crafts a direct POST request to the plugin's registration endpoint.
- The attacker sets the role parameter value to
administratorin the request body. - The
easyel_handle_registerfunction processes the request. Because it does not validate or restrict the role value, it creates a new WordPress user account with full administrator privileges. - The attacker logs in with the newly created administrator account and has complete control over the WordPress installation.
The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, resulting in a score of 9.8. Every component of the vector reflects the severity: network accessible, low complexity, no privileges required, no user interaction needed, and high impact across confidentiality, integrity, and availability.
The fix in version 1.4.5, visible in changeset 3534530 on the WordPress Plugin Repository, includes modifications to nonce handling and form inputs related to the role parameter, ensuring that user controlled input can no longer dictate the assigned role during registration.
Affected Systems and Versions
The following versions are affected:
- Easy Elements for Elementor versions 1.4.4 and all prior versions (confirmed by both Wordfence and WPScan)
- The plugin requires PHP 7.4 or higher and WordPress 6.3 or higher, so any WordPress installation meeting those requirements and running a vulnerable plugin version is at risk
- Version 1.4.5 contains the fix and is the minimum safe version
Vendor Security History
The Easy Elements for Elementor plugin has a limited security track record. WPScan lists only one recorded vulnerability for this plugin: CVE-2026-7284 itself. Patchstack notes that the plugin has no Vulnerability Disclosure Program (VDP), indicating the vendor lacks a formal channel for security researchers to report issues. The combination of a critical access control flaw in a core registration function and the absence of a VDP suggests that security review has not been a priority in the plugin's development lifecycle.



