CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0511 – Royal Elementor Addons and Templates <= 1.3.87 - Cross-Site Request Forgery via wpr_update_form_action_meta
https://notcve.org/view.php?id=CVE-2024-0511
07 Feb 2024 — The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.87. This is due to missing or incorrect nonce validation on the wpr_update_form_action_meta function. This makes it possible for unauthenticated attackers to post metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El complemento Royal Elementor Addons and Templates para WordPress es vul... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3026824%40royal-elementor-addons%2Ftags%2F1.3.87&new=3032004%40royal-elementor-addons%2Ftags%2F1.3.88 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5922 – Royal Elementor Addons and Templates < 1.3.81 - Unauthenticated Arbitrary Post Read
https://notcve.org/view.php?id=CVE-2023-5922
06 Dec 2023 — The Royal Elementor Addons and Templates WordPress plugin before 1.3.81 does not ensure that users accessing posts via an AJAX action (and REST endpoint, currently disabled in the plugin) have the right to do so, allowing unauthenticated users to access arbitrary draft, private and password protected posts/pages content El complemento de WordPress Royal Elementor Addons and Templates anterior a 1.3.81 no garantiza que los usuarios que acceden a publicaciones a través de una acción AJAX (y el endpoint REST, ... • https://wpscan.com/vulnerability/debd8498-5770-4270-9ee1-1503e675ef34 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 93%CPEs: 1EXPL: 14CVE-2023-5360 – Royal Elementor Addons and Templates < 1.3.79 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-5360
09 Oct 2023 — The Royal Elementor Addons and Templates WordPress plugin before 1.3.79 does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE. El complemento Royal Elementor Addons and Templates de WordPress anterior a 1.3.79 no valida correctamente los archivos cargados, lo que podría permitir a usuarios no autenticados cargar archivos arbitrarios, como PHP y lograr RCE. The Royal Elementor Addons and Templates plugin for WordPress is vuln... • https://packetstorm.news/files/id/175107 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47175 – WordPress Royal Elementor Addons Plugin <= 1.3.75 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-47175
22 Aug 2023 — Cross-Site Request Forgery (CSRF) vulnerability in P Royal Royal Elementor Addons and Templates plugin <= 1.3.75 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento P Royal Royal Elementor Addons and Templates en versiones <= 1.3.75. The Royal Elementor Addons plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.75. This is due to missing or incorrect nonce validation on several functions including wpr_rating_dismiss_notice, wp... • https://patchstack.com/database/vulnerability/royal-elementor-addons/wordpress-royal-elementor-addons-plugin-1-3-75-multiple-cross-site-request-forgery-csrf?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3709 – Royal Elementor Addons <=1.3.70 - Unauthenticated MailChimp API Key Disclosure
https://notcve.org/view.php?id=CVE-2023-3709
17 Jul 2023 — The Royal Elementor Addons plugin for WordPress is vulnerable to unauthenticated API key disclosure in versions up to, and including, 1.3.70 due to the plugin adding the API key to the source code of any page running the MailChimp block. This makes it possible for unauthenticated attackers to obtain a site's MailChimp API key. We recommend resetting any MailChimp API keys if running a vulnerable version of this plugin with the MailChimp block enabled as the API key may have been compromised. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2938619%40royal-elementor-addons&new=2936984%40royal-elementor-addons&sfp_email=&sfph_mail= • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4700 – Royal Elementor Addons <= 1.3.59 - Insufficient Access Control to Theme Activation
https://notcve.org/view.php?id=CVE-2022-4700
10 Jan 2023 — The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_activate_required_theme' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to activate the 'royal-elementor-kit' theme. If no such theme is installed doing so can also impact site availability as the site attempts to load a nonexistent theme. WordPress Royal Elementor add-ons versions 1.3.59 and below suffer from c... • https://packetstorm.news/files/id/170459 • CWE-284: Improper Access Control •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4701 – Royal Elementor Addons <= 1.3.59 - Insufficient Access Control to Plugin Activation
https://notcve.org/view.php?id=CVE-2022-4701
10 Jan 2023 — The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_activate_required_plugins' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to activate the 'contact-form-7', 'media-library-assistant', or 'woocommerce' plugins if they are installed on the site. WordPress Royal Elementor add-ons versions 1.3.59 and below suffer from cross site request forgery, insufficient acces... • https://packetstorm.news/files/id/170459 • CWE-285: Improper Authorization •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4702 – Royal Elementor Addons <= 1.3.59 - Insufficient Access Control to Plugin Deactivation
https://notcve.org/view.php?id=CVE-2022-4702
10 Jan 2023 — The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_fix_royal_compatibility' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to deactivate every plugin on the site unless it is part of an extremely limited hardcoded selection. This also switches the site to the 'royal-elementor-kit' theme, potentially resulting in availability issues. WordPress Royal Elementor add... • https://packetstorm.news/files/id/170459 • CWE-284: Improper Access Control •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4703 – Royal Elementor Addons <= 1.3.59 - Insufficient Access Control to Import Deletion
https://notcve.org/view.php?id=CVE-2022-4703
10 Jan 2023 — The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_reset_previous_import' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to reset previously imported data. WordPress Royal Elementor add-ons versions 1.3.59 and below suffer from cross site request forgery, insufficient access control, cross site scripting vulnerabilities. • https://packetstorm.news/files/id/170459 • CWE-284: Improper Access Control •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4704 – Royal Elementor Addons <= 1.3.59 - Insufficient Access Control to Template Import
https://notcve.org/view.php?id=CVE-2022-4704
10 Jan 2023 — The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_import_templates_kit' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to import preset site configuration templates including images and settings. WordPress Royal Elementor add-ons versions 1.3.59 and below suffer from cross site request forgery, insufficient access control, cross site scripting vulnerabilities. • https://packetstorm.news/files/id/170459 • CWE-284: Improper Access Control •