Unauthorized File Upload Vulnerability in Royal Addons for Elementor by WordPress
CVE-2025-11363

Currently unrated

Key Information:

Vendor: WordPress
Status: Royal Addons For Elementor
Vendor: CVE Published:; 15 December 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-11363?

The Royal Addons for Elementor plugin prior to version 1.7.1037 is susceptible to a vulnerability that permits unauthenticated users to upload arbitrary media files via the wpr_addons_upload_file action. This lack of proper authorization can lead to potential exploitation, compromising the security of the WordPress installation and enabling malicious users to execute harmful actions.

Affected Version(s)

Royal Addons for Elementor 0 < 1.7.1037

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-11363 - Proof of Concept

References

https://wpscan.com/vulnerability/b2eadb7a-30a4-44c7-a420-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Dec 15, 2025
👾
Exploit known to exist
Dec 15, 2025
Vulnerability published
Dec 15, 2025
Vulnerability Reserved
Oct 6, 2025

Credit

Envel Le Clainche

WPScan

JSON