CVE-2026-7665: Elementor Addons Info Disclosure Flaw

CVE-2026-7665 Overview

CVE-2026-7665 is an Information Exposure vulnerability in the Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress. The flaw affects all versions up to and including 6.6.4. It resides in the ajax_load_more function, which applies insufficient restrictions on which posts can be returned to the requester. Unauthenticated attackers can extract data from password-protected, private, or draft posts that should remain inaccessible. The issue is tracked under [CWE-639] Authorization Bypass Through User-Controlled Key.

Critical Impact
Unauthenticated network attackers can read content from password-protected, private, and draft WordPress posts without any user interaction.

Affected Products

Essential Addons for Elementor (Lite) plugin for WordPress, versions ≤ 6.6.4
WordPress sites using Elementor with the Essential Addons widgets enabled
Any installation exposing the ajax_load_more AJAX endpoint to unauthenticated users

Discovery Timeline

2026-06-06 - CVE-2026-7665 published to NVD
2026-06-08 - Last updated in NVD database

Technical Details for CVE-2026-7665

Vulnerability Analysis

The vulnerability exists in the ajax_load_more handler defined in includes/Traits/Ajax_Handler.php. This AJAX endpoint is reachable by unauthenticated users and accepts client-supplied parameters that influence the post query executed by WordPress. The handler does not enforce restrictions on post status or password protection before returning content. As a result, an attacker who supplies crafted parameters can cause the function to include posts with statuses such as private, draft, or pending, as well as publish posts that are password-protected. The response returns rendered post content directly to the caller, bypassing the standard WordPress access checks that would otherwise gate this material behind authentication or a password prompt.

Root Cause

The root cause is insufficient authorization on a user-controlled query key, mapped to [CWE-639]. The ajax_load_more function trusts client-provided post selection parameters and does not validate that the requester is permitted to read the resolved posts. Standard WordPress capability checks (read_private_posts) and password-protected post handling are not enforced before the content is serialized into the AJAX response.

Attack Vector

Exploitation requires only network access to a vulnerable WordPress site. The attacker sends a crafted POST request to wp-admin/admin-ajax.php invoking the ajax_load_more action with parameters that cause the underlying query to include non-public posts. No authentication, privileges, or user interaction are required. The vulnerability impacts confidentiality only — integrity and availability are not affected. Technical details for the vulnerable code paths are documented in the Wordfence Vulnerability Report and the upstream source at WordPress Plugin Trac – Ajax_Handler.php.

Detection Methods for CVE-2026-7665

Indicators of Compromise

Unauthenticated POST requests to /wp-admin/admin-ajax.php with action=load_more or related ajax_load_more parameters originating from external IPs.
AJAX responses containing slugs or titles of posts marked private, draft, or password-protected in the database.
Repeated parameter fuzzing against the ajax_load_more endpoint enumerating post IDs or post types.

Detection Strategies

Inspect web server access logs for high-volume requests to admin-ajax.php with the Essential Addons load-more action and no authentication cookie.
Correlate AJAX response sizes and post IDs against the WordPress posts table to identify disclosure of non-public content.
Deploy a WordPress security plugin or WAF rule that flags requests invoking ajax_load_more from unauthenticated sessions.

Monitoring Recommendations

Enable verbose logging on admin-ajax.php and forward logs to a centralized analytics platform for behavioral baselining.
Alert on unusual outbound payload sizes from AJAX endpoints, which may indicate bulk extraction of post content.
Monitor for User-Agent strings associated with automated scanners such as wpscan, nuclei, or ffuf targeting WordPress endpoints.

How to Mitigate CVE-2026-7665

Immediate Actions Required

Update the Essential Addons for Elementor plugin to a version later than 6.6.4 once the vendor publishes the patched release.
Audit all WordPress installations to inventory plugin versions and identify exposed instances of the vulnerable handler.
Review access logs for the past several weeks for signs of exploitation against admin-ajax.php with ajax_load_more parameters.

Patch Information

The vendor patch is tracked in the WordPress plugin repository. See the WordPress Changeset Overview and the trunk source for Ajax_Handler.php referenced in the Wordfence Vulnerability Report for the corrected post status and password-protection checks.

Workarounds

Disable the Essential Addons for Elementor plugin until a fixed version is installed if the affected widgets are not business-critical.
Deploy a WAF rule that blocks unauthenticated POST requests to admin-ajax.php carrying the ajax_load_more action.
Restrict access to wp-admin/admin-ajax.php from untrusted networks where feasible, and require authentication for AJAX actions that return post content.

bash

# Example WAF rule (ModSecurity) blocking unauthenticated ajax_load_more requests
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
  "chain,phase:2,deny,status:403,id:1026766501,msg:'Block CVE-2026-7665 ajax_load_more abuse'"
  SecRule ARGS:action "@rx ^(load_more|ajax_load_more)$" \
    "chain"
    SecRule &REQUEST_COOKIES:/wordpress_logged_in_/ "@eq 0"