The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and including, 6.6.10 This is due to insufficient server-side validation of a Login/Register widget setting used to construct outgoing email headers — the allowed-values restriction is enforced only in the client-side editor UI and not on the server, and the applied sanitization does not strip or encode CR/LF characters, allowing CRLF sequences stored in that setting to survive into raw mail headers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject an additional Bcc header into the WordPress administrator's password-reset notification email, receive a copy of a valid administrator password-reset link, and achieve full administrator account takeover.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
The Essential Addons for Elementor plugin contains a critical authenticated account takeover vulnerability stemming from email header injection in its Login/Register widget. This flaw affects all versions up to 6.6.10 and exploits insufficient server-side validation of email header configuration settings. While authentication is required as a prerequisite, attackers with valid accounts can manipulate email headers to inject malicious content, potentially redirecting password reset links or hijacking account recovery flows to external attacker-controlled systems. This vulnerability impacts WordPress site administrators and users relying on this popular plugin for authentication workflows, with potential exposure across thousands of websites using Elementor as their page builder.
While this CVE does not map to specific MITRE ATT&CK techniques in the current framework, Casky's Claude-powered platform would detect the attack patterns through its 754 mapped security skills by identifying anomalous email header construction and authentication manipulation attempts. Practitioners using Casky would observe findings related to email header tampering behaviors, suspicious credential reset patterns, and account access anomalies that deviate from normal authentication flows. The platform's extended reasoning capabilities would correlate client-side validation bypasses with server-side injection opportunities, flagging instances where email configuration parameters contain special characters or SMTP directives. Security teams would see alerts for potential Credential Access and Account Manipulation patterns, enabling them to patch affected plugin versions and implement additional server-side validation controls before exploitation occurs.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-15155. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation