Lo que sucedió (en términos simples)

Essential Addons for Elementor (Popular Elementor Templates & Widgets component) versions up to and including 6.6.4 contain a broken access control vulnerability. The vulnerable code fails to verify authorization for certain requests, which means an unauthenticated visitor — including automated bots — may be able to retrieve information intended only for authenticated users or administrators.

The plugin vendor released a patched version, 6.6.5, which corrects the missing authorization checks. The assigned CVE is CVE-2026-7665.

If you run this plugin, update to 6.6.5 or later. Below I outline practical steps to take immediately and temporary controls if you can’t update right away.

Por qué esto es importante incluso cuando la gravedad es “baja”

• “Low” severity does not equal “no risk.” Information leaks are commonly chained into more serious attacks.
• Broken access control issues are attractive to mass scanners — they can find susceptible sites quickly at scale.
• Exposed data (IDs, templates, widget configs, resource links) helps attackers map a site and plan follow-up exploits.
• Opportunistic attackers run automated campaigns; low-severity disclosures become high-value when abused en masse.

Treat the issue seriously and prioritise remediation.

Technical summary — what “broken access control” means here

Broken access control occurs when the application fails to verify that the requester has rights to perform an action or read data. Typical failures include:

• Missing capability checks in functions returning sensitive data.
• No nonce or authentication validation for AJAX/REST endpoints.
• Publicly exposed API endpoints that should require login.
• Insecure use of admin-ajax.php or custom REST endpoints without user capability checks.

For CVE-2026-7665, the plugin returned information from an endpoint without enforcing authorization. Endpoints and parameters may vary by version and configuration; the root cause is a missing authorization check.

Impact scenarios — what an attacker could do

• Reconocimiento: Enumerate templates, widget configurations, or internal IDs to map the site.
• Content harvesting: Extract HTML, links, or embedded resources for phishing or scraping.
• Pivotar: Use disclosed data to find other vulnerable components or weak roles.
• Privacy risk: Exposed templates could (in rare cases) include internal or personal data.
• Supply-chain: Multi-site or agency environments can increase risk if configuration details leak.

Automated scanning amplifies these risks — mitigation is about speed and layered controls.

Who should be worried (and why)

• Any site using Essential Addons for Elementor (plugin versions <= 6.6.4).
• Sites that store sensitive content inside templates or widget settings.
• Agencies and hosts managing multiple client sites with this plugin installed.
• Sites where exposed data could enable follow-up attacks against other components.

To check the installed version: Dashboard → Plugins → find “Essential Addons for Elementor” and read the version, or inspect the plugin header file in wp-content/plugins/essential-addons-for-elementor-lite/ on the server.

Immediate actions: update, restrict, or isolate

1. Update to 6.6.5 or later immediately.

   This is the only complete fix. Test in staging if you have customisations, but avoid unnecessary delays for security updates.

2. Si no puede actualizar de inmediato:
   • Disable the affected component (Popular Elementor Templates & Widgets) if granular options exist.
   • Consider deactivating the plugin until the patch can be applied (safest option).
   • If deactivation is impractical, apply temporary controls described below (WAF/server restrictions/custom capability checks).
3. Revisar registros: Inspect access logs and any security appliance logs for unusual activity against plugin endpoints since disclosure.

Mitigaciones temporales si no puedes actualizar de inmediato.

If the plugin must stay active, apply one or more of these short-term measures:

• Restrict access to plugin endpoints via your web application firewall (WAF). Block unauthenticated requests to known plugin AJAX/REST endpoints.
• Add server-level rules (nginx/Apache) to block requests with suspicious query parameters or referencing plugin files that should not be public.
• Require authentication for admin-ajax.php requests that include plugin-specific action names.
• Limit access to wp-admin and admin-ajax.php by IP for non-public sites or small maintenance teams.
• Use rate-limiting to slow automated scanners and enumeration attempts.

These are temporary. Apply the official plugin update as soon as possible.

Recommended WAF rules and examples for virtual patching

A WAF can intercept malicious requests before they reach vulnerable code. Below are guideline rules you can adapt for mod_security, nginx, or similar. Test in monitor mode first to tune false positives.

1) Block unauthenticated requests targeting plugin AJAX actions (ModSecurity-style pseudo-rule)

# Example ModSecurity pseudo-rule: block likely unauthenticated plugin AJAX calls
SecRule REQUEST_URI "@endsWith /wp-admin/admin-ajax.php" \n  "phase:1,chain,deny,log,msg:'Block unauthenticated access to EAEL plugin AJAX actions',id:100001"
  SecRule ARGS_GET:action "@pm eael_get_templates eael_popular_templates eael_fetch_widget" "t:none"
  SecRule &REQUEST_HEADERS:Cookie "@eq 0"

Replace action names (eael_*) with the actual action names for your plugin version. This denies requests without any Cookie header where the action matches the plugin’s AJAX calls.

2) Require wordpress_logged_in cookie for sensitive requests (nginx example)

location = /wp-admin/admin-ajax.php {
    if ($arg_action ~* "(eael_get_templates|eael_popular_templates|eael_fetch_widget)") {
        if ($http_cookie !~* "wordpress_logged_in_") {
            return 401;
        }
    }
    fastcgi_pass php-fpm;
    ...
}

3) Deny direct requests to plugin PHP files that should not be public

location ~* /wp-content/plugins/essential-addons-for-elementor-lite/includes/.*\.php$ {
    deny all;
    return 403;
}

4) Rate limit enumeration and scanner patterns

limit_req_zone $binary_remote_addr zone=ajax_zone:10m rate=10r/m;

location = /wp-admin/admin-ajax.php {
    limit_req zone=ajax_zone burst=20 nodelay;
    fastcgi_pass php-fpm;
    ...
}

5) Virtual patch: require a custom header for plugin endpoints

SecRule REQUEST_URI "@pm /wp-json/eael/ /wp-admin/admin-ajax.php" \n  "phase:1,chain,deny,id:100002,msg:'EAEL endpoint request missing X-Site-Auth header'"
  SecRule REQUEST_HEADERS:X-Site-Auth "!@streq 'your-temporary-secret'"

This requires legitimate requests to present a secret header. It is blunt and must be coordinated with legitimate front-end requests or proxies.

6) Monitor before blocking

Run new rules in detection/logging mode for 48 hours, review logs, then enable blocking once confident.

Example short PHP barrier — block specific unauthenticated AJAX actions

If you cannot deploy WAF rules immediately, add a small snippet to your theme’s functions.php de tu tema or a site-specific plugin. This checks AJAX requests and blocks known plugin actions for unauthenticated users. Back up before editing PHP.