How is CVE-2026-56028 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress service via HTTP or HTTPS from any remote location. Authentication (not-required): No account or session credentials of any kind are needed; the privilege escalation path is fully accessible to unauthenticated requests. Victim interaction (not-required): The attack completes without any action from an existing user or administrator of the site. Attack complexity (info): The exploit is reliable and condition-free, requiring no race conditions, special memory layout, or environmental dependencies beyond network access.

What is the impact of CVE-2026-56028?

An attacker gains elevated, likely administrative, privileges on the WordPress site without holding any prior account. With administrative access, the attacker reads all stored site data including user credentials, session tokens, personal information, and any private content. The attacker can modify or delete all persisted posts, pages, plugin settings, and database rows controlled by WordPress. Full administrative control allows the attacker to install arbitrary plugins or themes, enabling further code execution within the hosting environment.

Back to search

CRITICALCVE-2026-56028Published 2026-06-26Modified 2026-06-26CNA Patchstack

CVE-2026-56028: WordPress Easy Elements for Elementor – Addons & Website Templates plugin <= 1.4.9 - Privilege Escalation vulnerability

Q: What is CVE-2026-56028?

An unauthenticated privilege escalation vulnerability affects the Easy Elements for Elementor plugin (Addons and Website Templates) by themewant, versions 1.4.9 and earlier. The vulnerability is reachable over the network with no authentication or user interaction required, making it trivially exploitable by any remote attacker. Successful exploitation allows an attacker to escalate their privileges on the WordPress site, enabling full administrative control, arbitrary content modification, and access to all stored data. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as one is released.

Q: Is CVE-2026-56028 patched?

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment themewant ships a remediated release. In the interim, customers can apply compensating controls through HarborGuard policy rules, such as network-policy isolation of affected workloads or feature-flag gating on the plugin.

Unauthenticated Privilege Escalation in Easy Elements for Elementor – Addons & Website Templates <= 1.4.9 versions.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated privilege escalation vulnerability affects the Easy Elements for Elementor plugin (Addons and Website Templates) by themewant, versions 1.4.9 and earlier. The vulnerability is reachable over the network with no authentication or user interaction required, making it trivially exploitable by any remote attacker. Successful exploitation allows an attacker to escalate their privileges on the WordPress site, enabling full administrative control, arbitrary content modification, and access to all stored data. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-56028 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against all customer images, including custom-built images that bundle this WordPress plugin. No manual configuration is required for coverage to apply.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.8 (Critical) and weighting that score against each environment's compliance policy. Triage routing to the appropriate team inbox within each customer organization is available automatically based on policy configuration.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment themewant ships a remediated release. In the interim, customers can apply compensating controls through HarborGuard policy rules, such as network-policy isolation of affected workloads or feature-flag gating on the plugin.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress service via HTTP or HTTPS from any remote location.
AuthenticationNot required
No account or session credentials of any kind are needed; the privilege escalation path is fully accessible to unauthenticated requests.
Victim interactionNot required
The attack completes without any action from an existing user or administrator of the site.
Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, special memory layout, or environmental dependencies beyond network access.

Blast Radius

An attacker gains elevated, likely administrative, privileges on the WordPress site without holding any prior account.
With administrative access, the attacker reads all stored site data including user credentials, session tokens, personal information, and any private content.
The attacker can modify or delete all persisted posts, pages, plugin settings, and database rows controlled by WordPress.
Full administrative control allows the attacker to install arbitrary plugins or themes, enabling further code execution within the hosting environment.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged as Critical (CVSS 9.8) with no upstream fix currently published, so the primary capability is continuous advisory monitoring. HarborGuard re-evaluates the Patchstack advisory on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads the moment a fix version is released. While no patch is available, customers can use HarborGuard policy controls to apply compensating measures: network-policy isolation to restrict external access to affected WordPress instances, egress filtering on containers running the plugin, and workload-level annotations to flag affected images for manual review. Environments running Easy Elements for Elementor at version 1.4.9 or earlier should treat this as a high-priority item given the zero-barrier exploitation path.

See how HarborGuard automates this

Affected packages

themewant / Easy Elements for Elementor – Addons & Website Templates
≤ 1.4.9

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified