Executive Summary

The Essential Addons for Elementor plugin for WordPress is vulnerable to authenticated account takeover via email header injection. This vulnerability, tracked as CVE-2026-15155, allows an attacker with Contributor-level access to inject a Bcc header into the administrator's password-reset notification email. This could potentially lead to full administrator account takeover. The vulnerability has a CVSS score of 8.8, indicating a high severity level.

Technical Analysis

The vulnerability is caused by insufficient server-side validation of a Login/Register widget setting used to construct outgoing email headers. The allowed-values restriction is enforced only in the client-side editor UI and not on the server. Additionally, the applied sanitization does not strip or encode CR/LF characters, allowing CRLF sequences stored in that setting to survive into raw mail headers. This makes it possible for authenticated attackers to inject an additional Bcc header into the WordPress administrator's password-reset notification email.

How It Gets Exploited

An attacker with Contributor-level access and above can exploit this vulnerability by manipulating the Login/Register widget setting to inject a Bcc header into the administrator's password-reset notification email. The attacker would need to: - Have Contributor-level access or higher on the WordPress site - Modify the Login/Register widget setting to include a malicious Bcc header - Trigger the password-reset notification email for an administrator - Receive a copy of the valid administrator password-reset link via the injected Bcc header - Use the password-reset link to gain full administrator account access

Impact Assessment

The vulnerability affects all versions of the Essential Addons for Elementor plugin up to and including 6.6.10. The impact is high, with a CVSS score of 8.8, indicating that an attacker can achieve high confidentiality, integrity, and availability impacts. Specifically, an attacker can gain full administrator account access, potentially leading to complete control of the WordPress site.

Recommended Actions

To mitigate this vulnerability, it is recommended to: - Update the Essential Addons for Elementor plugin to version 6.6.11 or later - Monitor for suspicious activity, such as unexpected password-reset emails or administrator account changes - Implement additional security measures, such as two-factor authentication for administrator accounts - Restrict Contributor-level access to only necessary users

Sources

- National Vulnerability Database (NVD) - Wordfence