Insufficient Access Control in Royal Elementor Addons for WordPress
CVE-2022-4702

5.4MEDIUM

Summary

The Royal Elementor Addons plugin for WordPress suffers from an insufficient access control vulnerability in the 'wpr_fix_royal_compatibility' AJAX action. This flaw, present in versions up to and including 1.3.59, permits authenticated users, including those with only subscriber-level access, to deactivate any plugin on the site. The only exceptions are a very limited set of hardcoded plugins. Additionally, this vulnerability may lead the website to switch to the 'royal-elementor-kit' theme, which can cause significant availability issues for the affected site.

Affected Version(s)

Royal Elementor Addons (Elementor Templates, Post Grid, Mega Menu & Header Footer Builder, WooCommerce Builder, Product Grid, Slider, Parallax Image & other Free Elementor Widgets) * <= 1.3.59

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ramuel Gall
.
🍪 This website uses cookies, like every other website on the internet 😕 By using our website, you consent to the use of cookies.