Insufficient Access Control in Royal Elementor Addons for WordPress
CVE-2022-4702
Key Information:
- Vendor
- Wordpress
- Vendor
- CVE Published:
- 10 January 2023
Summary
The Royal Elementor Addons plugin for WordPress suffers from an insufficient access control vulnerability in the 'wpr_fix_royal_compatibility' AJAX action. This flaw, present in versions up to and including 1.3.59, permits authenticated users, including those with only subscriber-level access, to deactivate any plugin on the site. The only exceptions are a very limited set of hardcoded plugins. Additionally, this vulnerability may lead the website to switch to the 'royal-elementor-kit' theme, which can cause significant availability issues for the affected site.
Affected Version(s)
Royal Elementor Addons (Elementor Templates, Post Grid, Mega Menu & Header Footer Builder, WooCommerce Builder, Product Grid, Slider, Parallax Image & other Free Elementor Widgets) * <= 1.3.59
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved