CVE-2026-4326
Published: 09 April 2026
Summary
CVE-2026-4326 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-11 (User-installed Software).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations, directly addressing the CVE's failure to halt execution on failed capability checks for plugin installation.
CM-11 prohibits user-installed software, preventing low-privilege users from installing and activating arbitrary plugins as exploited in this CVE.
AC-6 enforces least privilege, mitigating by ensuring subscriber-level users lack the 'install_plugins' capability that the flawed function fails to enforce.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization in public-facing WordPress plugin allows low-privilege authenticated users to install/activate arbitrary plugins (bypassing capability check), directly enabling exploitation for privilege escalation (T1068) via public-facing app (T1190) and deployment of malicious server components like web shells (T1505.003).
NVD Description
The Vertex Addons for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. This is due to improper authorization enforcement in the activate_required_plugins() function. Specifically, the current_user_can('install_plugins') capability check does not terminate…
more
execution when it fails — it only sets an error message variable while allowing the plugin installation and activation code to execute. The error response is only sent after the installation and activation have already completed. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins from the WordPress.
Deeper analysisAI
CVE-2026-4326 is a Missing Authorization vulnerability (CWE-862) in the Vertex Addons for Elementor plugin for WordPress, affecting all versions up to and including 1.6.4. The issue stems from improper authorization enforcement in the activate_required_plugins() function within the plugin's Ajax.php file. Specifically, the function performs a current_user_can('install_plugins') capability check but does not terminate execution upon failure; it merely sets an error message variable while proceeding to execute the plugin installation and activation code. The error response is only sent after these operations have completed.
An attacker with authenticated access at Subscriber level or higher can exploit this vulnerability remotely with low complexity and no user interaction required. By invoking the flawed function, they can install and activate arbitrary plugins from the WordPress repository, potentially leading to full site compromise through malicious plugin payloads. The CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects the high potential impact on confidentiality, integrity, and availability.
References provided link to source code in the plugin's Ajax.php file across version 1.6.4 and trunk, highlighting the problematic lines: 229 and 232 for the capability check and error setting, 264 and 278 for execution continuation, and 229 in trunk for comparison. No explicit patch or mitigation details are detailed in the available information.
Details
- CWE(s)