CVE-2026-1004 – The Essential Addons for Elementor WordPress pl... (How to Fix)

Q: What is the severity of CVE-2026-1004?

CVE-2026-1004 has a CVSS score of 5.3 (MEDIUM). The Essential Addons for Elementor WordPress plugin exposes draft, pending, and private WooCommerce product information to unauthenticated attackers through an AJAX endpoint. This vulnerability affects all WordPress sites using this plugin up to version 6.5.5, allowing unauthorized access to sensitive product data that should be restricted.

📋 TL;DR

The Essential Addons for Elementor WordPress plugin exposes draft, pending, and private WooCommerce product information to unauthenticated attackers through an AJAX endpoint. This vulnerability affects all WordPress sites using this plugin up to version 6.5.5, allowing unauthorized access to sensitive product data that should be restricted.

💻 Affected Systems

Products:

Essential Addons for Elementor (WordPress plugin)

Versions: All versions up to and including 6.5.5

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WooCommerce to be installed and configured with draft/pending/private products. The vulnerability is in the plugin's AJAX handler functionality.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could harvest sensitive product information before official release, enabling competitive intelligence gathering, price manipulation, or targeted attacks based on unreleased product details.

🟠

Likely Case

Unauthorized users can view product details that are still in draft or private status, potentially revealing upcoming products, pricing strategies, or internal product development information.

🟢

If Mitigated

With proper access controls, only authorized users can view draft/private products, maintaining business confidentiality and release schedules.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted AJAX requests to the vulnerable endpoint. No authentication is needed, making this easily exploitable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.6 and later

Vendor Advisory: https://wordpress.org/plugins/essential-addons-for-elementor-lite/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Essential Addons for Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download version 6.5.6+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoint

all

Temporarily disable the 'eael_product_quickview_popup' function by modifying plugin code

Edit wp-content/plugins/essential-addons-for-elementor-lite/includes/Traits/Ajax_Handler.php and comment out lines 1439-1445

Restrict AJAX access via .htaccess

linux

Block unauthenticated access to the AJAX endpoint using web server rules

Add to .htaccess: RewriteCond %{QUERY_STRING} action=eael_product_quickview_popup [NC]
RewriteRule ^wp-admin/admin-ajax\.php$ - [F,L]

🧯 If You Can't Patch

Disable the Essential Addons for Elementor plugin entirely until patched
Implement web application firewall rules to block requests to the vulnerable AJAX endpoint

🔍 How to Verify

Check if Vulnerable:

Check if plugin version is 6.5.5 or lower in WordPress admin → Plugins → Essential Addons for Elementor

Check Version:

wp plugin get essential-addons-for-elementor-lite --field=version

Verify Fix Applied:

Verify plugin version is 6.5.6 or higher and test that draft/private products are no longer accessible via AJAX requests

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /wp-admin/admin-ajax.php with 'action=eael_product_quickview_popup' parameter
Access to draft/private product IDs from unauthenticated IPs

Network Indicators:

Unusual AJAX requests to product endpoints from external IPs
Pattern of requests attempting to enumerate product IDs

SIEM Query:

source="web_access_logs" AND uri="/wp-admin/admin-ajax.php" AND query="*action=eael_product_quickview_popup*" AND NOT user_agent="*bot*"

📊 Metadata

CVE ID: CVE-2026-1004

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-862

EPSS Score: 0.06% exploit probability (18.9th percentile)

Published: January 16, 2026

Last Updated: January 16, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1004, you might also want to check these: