CVE-2026-42629: WordPress PowerPack Pro for Elementor plugin < v2.13.0 - Broken Authentication vulnerability
Unauthenticated Broken Authentication in PowerPack Pro for Elementor < v2.13.0 versions.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- v2.13.0
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a broken authentication vulnerability in the PowerPack Pro for Elementor WordPress plugin, affecting all versions before v2.13.0. The vulnerability is reachable over the network without any credentials, though it requires a victim to perform some interaction, such as clicking a crafted link. Successful exploitation gives an attacker full read, write, and availability impact against the affected WordPress site. A patched-image rebuild at v2.13.0 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images and pipeline artifacts, including custom-built WordPress images that bundle the PowerPack Pro for Elementor plugin.
AvailableHarborGuard scores this finding at CVSS 8.8 (HIGH) and weights it against each environment's compliance policy to determine urgency, then routes the finding to the appropriate team inbox within the affected customer organization.
AvailableA patched-image rebuild at v2.13.0 becomes available on HarborGuard for any environment where an affected version of the plugin is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress service over the network; there is no requirement for local or physical access.
- AuthenticationNot required
No account or credentials of any kind are needed to attempt exploitation.
- Victim interactionRequired
A user with access to the affected site must perform some action, such as clicking a crafted link or visiting an attacker-controlled page, for the attack to succeed.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.
Blast Radius
- A successful attacker can read sensitive data from the WordPress site, including stored user credentials, session tokens, and private content.
- The attacker can write or modify persisted data, including posts, settings, and user account details.
- The attacker can disrupt availability of the affected WordPress site, causing service outages for legitimate users.
- Because all three impact dimensions are rated HIGH, a single successful exploit can result in full compromise of the affected WordPress installation.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-42629 runs against customer registries and CI pipelines as soon as the advisory is ingested, covering any image that bundles PowerPack Pro for Elementor below v2.13.0, including internally built WordPress images. Where compliance policy permits, a rebuild at the fixed version v2.13.0 is queued automatically. For customers who opt into auto-remediation, the median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes. Until a rebuild is confirmed clean in staging, network-policy controls that restrict unauthenticated external access to the WordPress admin surface provide a meaningful compensating control for environments that cannot patch immediately.
Fix available
- Powerpackelements / PowerPack Pro for Elementor< v2.13.0 (from n/a)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H