cbcvebase.

Royal-Elementor-Addons Royal Elementor Addons vulnerabilities

58 known vulnerabilities affecting royal-elementor-addons/royal_elementor_addons.

Total CVEs
58
CISA KEV
0
Public exploits
1
Exploited in wild
9
Severity breakdown
CRITICAL3HIGH8MEDIUM46LOW1

Vulnerabilities

Page 1 of 3
CVE-2023-5360P1CRITICALCVSS 9.8ExploitedPoCfixed in 1.3.792023-10-31
CVE-2023-5360 [CRITICAL] CWE-434 CVE-2023-5360: The Royal Elementor Addons and Templates WordPress plugin before 1.3.79 does not properly validate u The Royal Elementor Addons and Templates WordPress plugin before 1.3.79 does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE.
nvd
CVE-2022-4708P1MEDIUMCVSS 6.5Exploited≤ 1.3.592023-01-10
CVE-2022-4708 [MEDIUM] CWE-284 CVE-2022-4708: The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_save_template_conditions' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to modify the conditions under which templates are displayed.
nvd
CVE-2022-4709P2MEDIUMCVSS 6.5Exploited≤ 1.3.592023-01-10
CVE-2022-4709 [MEDIUM] CWE-284 CVE-2022-4709: The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_import_library_template' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to import and activate templates from the plugin's template library.
nvd
CVE-2022-4705P2MEDIUMCVSS 4.3Exploited≤ 1.3.592023-01-10
CVE-2022-4705 [MEDIUM] CVE-2022-4705: The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_final_settings_setup' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to finalize activation of preset site configuration templates, which can be chosen and importe
nvd
CVE-2022-4711P1MEDIUMCVSS 4.3Exploitedfixed in 1.3.602023-01-10
CVE-2022-4711 [MEDIUM] CWE-284 CVE-2022-4711: The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_save_mega_menu_settings' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to enable and modify Mega Menu settings for any menu item.
nvd
CVE-2022-4702P2MEDIUMCVSS 6.5Exploited≤ 1.3.592023-01-10
CVE-2022-4702 [MEDIUM] CWE-284 CVE-2022-4702: The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_fix_royal_compatibility' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to deactivate every plugin on the site unless it is part of an extremely limited ha
nvd
CVE-2022-4700P2HIGHCVSS 8.8Exploited≤ 1.3.592023-01-10
CVE-2022-4700 [HIGH] CWE-284 CVE-2022-4700: The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_activate_required_theme' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to activate the 'royal-elementor-kit' theme. If no such theme is installed doing so c
nvd
CVE-2022-4701P2HIGHCVSS 8.8Exploited≤ 1.3.592023-01-10
CVE-2022-4701 [HIGH] CWE-285 CVE-2022-4701: The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_activate_required_plugins' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to activate the 'contact-form-7', 'media-library-assistant', or 'woocommerce' plugi
nvd
CVE-2022-4703P2HIGHCVSS 8.1Exploited≤ 1.3.592023-01-10
CVE-2022-4703 [HIGH] CWE-284 CVE-2022-4703: The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_reset_previous_import' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to reset previously imported data.
nvd
CVE-2024-1567P2CRITICALCVSS 9.8fixed in 1.3.952024-05-02
CVE-2024-1567 [CRITICAL] CWE-434 CVE-2024-1567: The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to limited file uploads The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to limited file uploads due to missing file type validation in the 'file_validity' function in all versions up to, and including, 1.3.94. This makes it possible for unauthenticated attackers to upload dangerous file types such as .svgz on the affected site's server which may
nvd
CVE-2024-32786P3CRITICALCVSS 9.8fixed in 1.3.952024-05-17
CVE-2024-32786 [CRITICAL] CWE-290 CVE-2024-32786: Authentication Bypass by Spoofing vulnerability in WP Royal Royal Elementor Addons allows Functional Authentication Bypass by Spoofing vulnerability in WP Royal Royal Elementor Addons allows Functionality Bypass.This issue affects Royal Elementor Addons: from n/a through 1.3.93.
nvd
CVE-2023-5922P3HIGHCVSS 7.5fixed in 1.3.812024-01-16
CVE-2023-5922 [HIGH] CWE-639 CVE-2023-5922: The Royal Elementor Addons and Templates WordPress plugin before 1.3.81 does not ensure that users a The Royal Elementor Addons and Templates WordPress plugin before 1.3.81 does not ensure that users accessing posts via an AJAX action (and REST endpoint, currently disabled in the plugin) have the right to do so, allowing unauthenticated users to access arbitrary draft, private and password protected posts/pages content
nvd
CVE-2022-4704P3HIGHCVSS 8.1≤ 1.3.592023-01-10
CVE-2022-4704 [HIGH] CWE-284 CVE-2022-4704: The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_import_templates_kit' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to import preset site configuration templates including images and settings.
nvd
CVE-2024-50442P3HIGHCVSS 7.2fixed in 1.3.9812024-10-28
CVE-2024-50442 [HIGH] CWE-611 CVE-2024-50442: Improper Restriction of XML External Entity Reference vulnerability in WP Royal Royal Elementor Addo Improper Restriction of XML External Entity Reference vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows XML Injection.This issue affects Royal Elementor Addons: from n/a through <= 1.3.980.
nvd
CVE-2025-1441P3HIGHCVSS 8.8≤ 1.7.10072025-02-19
CVE-2025-1441 [HIGH] CWE-352 CVE-2025-1441: The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Fo The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1007. This is due to missing or incorrect nonce validation on the 'wpr_filter_woo_products' function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request
nvd
CVE-2022-47175P4HIGHCVSS 8.8≤ 1.3.752023-10-06
CVE-2022-47175 [HIGH] CWE-352 CVE-2022-47175: Cross-Site Request Forgery (CSRF) vulnerability in P Royal Royal Elementor Addons and Templates plug Cross-Site Request Forgery (CSRF) vulnerability in P Royal Royal Elementor Addons and Templates plugin <= 1.3.75 versions.
nvd
CVE-2024-3675P4MEDIUMCVSS 6.4fixed in 1.3.9722024-05-02
CVE-2024-3675 [MEDIUM] CWE-79 CVE-2024-3675: The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scr The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Flip Carousel, Flip Box, Post Grid, and Taxonomy List widgets in all versions up to, and including, 1.3.971 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authent
nvd
CVE-2024-0442P4MEDIUMCVSS 6.4fixed in 1.3.882024-02-29
CVE-2024-0442 [MEDIUM] CWE-79 CVE-2024-0442: The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scr The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via element URL parameters in all versions up to, and including, 1.3.87 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access or higher to inject arbitrary web script
nvd
CVE-2024-2799P4MEDIUMCVSS 6.4fixed in 1.3.972024-04-23
CVE-2024-2799 [MEDIUM] CWE-79 CVE-2024-2799: The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scr The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Grid & Advanced Text widget HTML tags in all versions up to, and including, 1.3.96 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contr
nvd
CVE-2024-8482P4MEDIUMCVSS 6.4fixed in 1.3.9872024-10-08
CVE-2024-8482 [MEDIUM] CWE-79 CVE-2024-8482: The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scr The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 1.3.982 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web
nvd
Royal-Elementor-Addons Royal Elementor Addons vulnerabilities | cvebase