CVE-2026-7665: Essential Addons for Elementor Information Exposure via ajax_load_more
A WordPress plugin called Essential Addons for Elementor contains a flaw that allows anyone on the internet to view sensitive posts they shouldn't be able to see—including password-protected pages, private posts, and draft content. The vulnerability exists in a feature called 'ajax_load_more' that doesn't properly check permissions before returning post data. An attacker needs only a web browser; no login credentials or special interaction is required.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-639
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-06 / 2026-06-17
NVD description (verbatim)
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.6.4 via the ajax_load_more function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
14 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The Essential Addons for Elementor plugin fails to enforce proper authorization controls in its ajax_load_more AJAX function. The function retrieves and exposes posts without verifying that the requesting user has permission to view them. This authorization bypass affects posts marked as private, password-protected, or in draft status, allowing unauthenticated users to enumerate and extract sensitive content through direct function calls. The vulnerability stems from insufficient input validation and capability checks on user-initiated AJAX requests.
Business impact
Organizations using this plugin to manage confidential content face immediate risk of unauthorized disclosure. Draft blog posts, unreleased announcements, private client pages, and password-protected materials become accessible to anyone. This can lead to competitive intelligence leaks, premature public disclosure of sensitive information, compliance violations if personal or regulated data is exposed, and reputational damage. The ease of exploitation means attackers require minimal effort to systematically extract large volumes of sensitive content.
Affected systems
All versions of the Essential Addons for Elementor plugin up to and including version 6.6.4 are affected. Any WordPress installation using this plugin with that version range is vulnerable. The plugin's popularity as an Elementor template and widget tool means the exposure could affect a large number of WordPress sites across various industries.
Exploitability
This vulnerability has a low barrier to exploitation. The attack requires no authentication, no user interaction, and can be executed over the network using standard HTTP requests. An attacker can craft AJAX requests targeting the vulnerable function and retrieve protected posts without triggering authentication prompts. Automated tools can rapidly enumerate and extract all protected content. The straightforward nature of the flaw means both opportunistic attackers and sophisticated threat actors can easily abuse it.
Remediation
Site administrators must update the Essential Addons for Elementor plugin to a patched version beyond 6.6.4. After updating, verify that the ajax_load_more function now properly validates user permissions before returning post data. For sites that cannot immediately patch, consider disabling the plugin or restricting AJAX endpoint access via Web Application Firewall rules until a fix is deployed. Review access logs and post revision histories to determine whether sensitive content has been accessed without authorization.
Patch guidance
Upgrade the Essential Addons for Elementor plugin to the latest available version above 6.6.4. The patch should include authorization checks within the ajax_load_more function that verify the requesting user has permission to view each post before returning its data. Verify the patch against the official plugin repository and the vendor's security advisory. Test the update in a staging environment before deploying to production to ensure compatibility with your Elementor configuration and custom templates.
Detection guidance
Monitor AJAX logs for repeated calls to the ajax_load_more endpoint, particularly from IP addresses with no previous site activity. Look for requests that return post data with post_status values of 'draft', 'private', or posts requiring password authentication. Implement logging for all AJAX requests and correlate failed permission checks. Use Web Application Firewall rules to flag suspicious patterns of sequential post ID enumeration. Check WordPress post access logs and audit trails for unauthorized views of protected content. Consider implementing rate limiting on AJAX endpoints to slow reconnaissance attempts.
Why prioritize this
This vulnerability should be prioritized for immediate patching due to its simplicity, lack of exploitation barriers, and direct exposure of sensitive business information. The combination of low CVSS complexity (AC:L), no authentication requirement (PR:N), and clear confidentiality impact (C:L) makes it attractive to opportunistic attackers. Organizations managing confidential content, legal documents, or unreleased materials should treat this as critical despite its MEDIUM CVSS rating.
Risk score, explained
The CVSS 3.1 score of 5.3 (MEDIUM) reflects a network-accessible vulnerability requiring no privileges or user interaction, with low complexity. However, the score does not capture the full business risk: the ease of exploitation, the sensitivity of typical exposed content, and the difficulty in detecting whether extraction has already occurred elevate practical risk beyond the numerical rating. Organizations should weigh the CVSS score alongside their own content sensitivity and threat model.
Frequently asked questions
Can this vulnerability expose personally identifiable information (PII)?
Yes. If password-protected or private posts contain PII—customer data, employee records, client information—the vulnerability creates a direct path for unauthorized exposure. Organizations storing regulated personal data should treat this as a potential compliance incident and conduct forensic analysis of access logs.
Do we need user interaction or credentials to exploit this?
No. The vulnerability is fully unauthenticated and requires only HTTP requests to the WordPress AJAX endpoint. An attacker can exploit it with a basic script or browser console. No special tools, credentials, or user actions are needed.
How can we tell if our site has been compromised by this vulnerability?
Review AJAX endpoint access logs for unusual POST requests to the ajax_load_more function. Check post revision histories and access logs for views of draft or private posts from unauthenticated sessions. A sudden spike in AJAX calls or enumeration patterns across post IDs is a strong indicator. Enable WordPress audit logging plugins to capture post access events if not already in place.
Are other Elementor plugins or page builders affected?
This vulnerability is specific to the Essential Addons for Elementor plugin. Other Elementor add-ons and page builders may have similar authorization flaws, but they must be assessed independently. Review any third-party plugins that expose AJAX endpoints to ensure they validate user permissions.
This analysis is provided for informational purposes to help security teams understand and remediate the vulnerability. The information is based on the published CVE description and CVSS scoring. Organizations should verify patch availability and compatibility with their specific WordPress and plugin versions before deployment. Exploit code or proof-of-concept details are not provided to prevent weaponization. Always test patches in non-production environments first. If you believe your site has been compromised, engage incident response and forensic analysis professionals. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10038MEDIUMCharitable WordPress Plugin IDOR Arbitrary Attachment Deletion Vulnerability
- CVE-2026-10154MEDIUMDolibarr ERP CRM Authorization Bypass in Messaging Module
- CVE-2026-10212MEDIUMAstrBot 4.24.2 Authorization Bypass via Session ID Manipulation
- CVE-2026-10597MEDIUMOMICARD EDM Unauthenticated Email Disclosure Vulnerability
- CVE-2026-11142MEDIUMChrome Paint Same-Origin Policy Bypass Vulnerability
- CVE-2026-23638MEDIUMKiteworks IDOR Vulnerability in Secure Data Forms – Patch Guidance
- CVE-2026-24753MEDIUMKiteworks IDOR Vulnerability in Secure Data Forms – Patch to 9.3.0
- CVE-2026-24755MEDIUMKiteworks IDOR Authorization Flaw in Secure Data Forms