Essential Addons for Elementor – Popular Elementor Templates & Widgets Vulnerability – Missing Authorization to Unauthenticated Sensitive Information Exposure – CVE-2026-1004 | WordPress Plugin Vulnerability Report

Plugin Name: Essential Addons for Elementor – Popular Elementor Templates & Widgets

Key Information

Software Type: Plugin
Software Slug: essential-addons-for-elementor-lite
Software Status: Active
Software Author: wpdevteam
Software Downloads: 117,159,772
Active Installs: 2,000,000
Last Updated: January 22, 2026
Patched Versions: 6.5.6
Affected Versions: ≤ 6.5.5

Vulnerability Details

Name: Essential Addons for Elementor ≤ 6.5.5 – Missing Authorization to Unauthenticated Sensitive Information Exposure
Title: Missing Authorization to Unauthenticated Sensitive Information Exposure
Type: Missing Authorization / Sensitive Information Exposure
CVE: CVE-2026-1004
CVSS Score: 5.3 (Medium)
Publicly Published: January 15, 2026
Researcher: shrikant bhosale
Description:
The Essential Addons for Elementor plugin for WordPress is vulnerable to sensitive information exposure in all versions up to and including 6.5.5 via the eael_product_quickview_popup function. This vulnerability allows unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted from public access.

Summary

The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin contains a vulnerability in versions up to and including 6.5.5 that allows unauthenticated users to access sensitive WooCommerce product information. This vulnerability has been patched in version 6.5.6.

Detailed Overview

This vulnerability is caused by a missing authorization check within the eael_product_quickview_popup function. As a result, the function can be accessed without authentication, allowing anyone to retrieve information about WooCommerce products that are not intended to be publicly visible, including draft, pending, or private products.

Although the issue does not allow attackers to modify data or take control of a site, it does expose information that many site owners assume is private. This can include unreleased products, pricing details, product descriptions, or internal metadata that could reveal business strategies or upcoming launches.

The vulnerability was responsibly disclosed by shrikant bhosale and publicly published in January 2026. The plugin developers addressed the issue by implementing proper authorization checks in version 6.5.6.

Risks and Potential Impact

For WooCommerce-powered websites, this vulnerability presents a real confidentiality risk. Unauthenticated visitors could potentially view products that are still in development, scheduled for future release, or intentionally hidden from the public.

For small businesses, this exposure can lead to competitive disadvantages, customer confusion, or premature disclosure of pricing and product details. While the CVSS score is moderate, the reputational and business impact may still be significant depending on the nature of the exposed content.

How to Remediate the Vulnerability

The recommended remediation is to update Essential Addons for Elementor to version 6.5.6 or later immediately. This update ensures that only authorized users can access product quick-view functionality for non-public products.

After updating, site owners should review their WooCommerce product visibility settings and confirm that no sensitive products are unintentionally exposed. Clearing caches and testing product pages after the update is also advised to ensure the fix is fully applied.

Advice for Users

Immediate Action:
Update Essential Addons for Elementor to version 6.5.6 or later as soon as possible.

Check for Signs of Vulnerability:
Review whether draft, pending, or private WooCommerce products are accessible from the front end. If unsure, test your site while logged out or use a private browsing window.

Alternate Plugins:
While the vulnerability has been patched, users may consider alternative Elementor addon plugins if minimizing plugin complexity or exposure is a priority.

Stay Updated:
Keep WordPress core, plugins, and themes updated at all times. Many vulnerabilities are only exploitable because updates are delayed.

Conclusion

The prompt patch released for this vulnerability highlights the importance of maintaining up-to-date plugins, especially on eCommerce-enabled websites. Site owners should ensure they are running Essential Addons for Elementor version 6.5.6 or later to prevent unauthorized access to sensitive product information.

Keeping a WordPress website secure is particularly challenging for small business owners who do not have the time to track vulnerability disclosures or security advisories. This issue demonstrates that even popular, well-established plugins can unintentionally expose private business data if updates are missed.

Essential Addons for Elementor is widely used to enhance Elementor-based sites, and affected versions prior to 6.5.6 may allow unauthenticated access to non-public WooCommerce product data. While this vulnerability does not enable full site compromise, it can still create real business risks through unintended information disclosure.

The most effective protection is consistent maintenance. Applying updates promptly, limiting plugin usage to what is truly necessary, and working with a trusted WordPress maintenance or security provider can significantly reduce risk. Staying proactive about security helps protect not only your website, but also your customers and your business reputation.

Staying Secure

Don’t tackle WordPress security alone – the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.

Let’s chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We’ll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.