CVE-2026-2386
📋 TL;DR
This vulnerability allows authenticated WordPress users with Author-level permissions or higher to create draft posts for restricted post types they shouldn't have access to, such as 'page' or 'nxt_builder'. It affects all versions of The Plus Addons for Elementor plugin up to and including 6.4.7, due to insufficient authorization checks in the AJAX handler.
💻 Affected Systems
- The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could create unauthorized draft posts for sensitive post types, potentially leading to content manipulation, privilege escalation if those posts have special permissions, or disruption of site functionality.
Likely Case
Author-level users create draft pages or custom post types they aren't allowed to, causing minor content management issues or confusion in multi-user WordPress environments.
If Mitigated
With proper user role management and monitoring, impact is limited to low-severity unauthorized draft creation that can be easily reverted or deleted.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of the vulnerable AJAX endpoint, but is straightforward once those are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.4.8 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3463156/the-plus-addons-for-elementor-page-builder
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins > Installed Plugins. 3. Find 'The Plus Addons for Elementor' and update to version 6.4.8 or higher. 4. Verify update completes successfully.
🔧 Temporary Workarounds
Restrict user roles
allLimit the number of users with Author-level or higher permissions to reduce attack surface.
Disable plugin if unused
linuxTemporarily deactivate the plugin until patched, if functionality is not critical.
wp plugin deactivate the-plus-addons-for-elementor
🧯 If You Can't Patch
- Monitor user activity logs for unauthorized post creation attempts, especially via AJAX requests to tpae_create_page.
- Implement web application firewall (WAF) rules to block suspicious requests targeting the vulnerable AJAX handler.
🔍 How to Verify
Check if Vulnerable:
Check the plugin version in WordPress admin under Plugins > Installed Plugins; if version is 6.4.7 or lower, it is vulnerable.Check Version:
wp plugin get the-plus-addons-for-elementor --field=versionVerify Fix Applied:
After updating, confirm the plugin version is 6.4.8 or higher in the same location.📡 Detection & Monitoring
Log Indicators:
- Unusual AJAX POST requests to /wp-admin/admin-ajax.php with action 'tpae_create_page' and unexpected 'post_type' parameters from Author-level users.
Network Indicators:
- Spikes in admin-ajax.php requests with specific parameters related to post creation.
SIEM Query:
source="wordpress_logs" action="tpae_create_page" post_type IN ("page", "nxt_builder")