CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47175 – WordPress Royal Elementor Addons Plugin <= 1.3.75 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-47175
Cross-Site Request Forgery (CSRF) vulnerability in P Royal Royal Elementor Addons and Templates plugin <= 1.3.75 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento P Royal Royal Elementor Addons and Templates en versiones <= 1.3.75. The Royal Elementor Addons plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.75. This is due to missing or incorrect nonce validation on several functions including wpr_rating_dismiss_notice, wpr_rating_already_rated, wpr_pro_features_dismiss_notice. This makes it possible for unauthenticated attackers to invoke these functions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/royal-elementor-addons/wordpress-royal-elementor-addons-plugin-1-3-75-multiple-cross-site-request-forgery-csrf?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3709 – Royal Elementor Addons <=1.3.70 - Unauthenticated MailChimp API Key Disclosure
https://notcve.org/view.php?id=CVE-2023-3709
The Royal Elementor Addons plugin for WordPress is vulnerable to unauthenticated API key disclosure in versions up to, and including, 1.3.70 due to the plugin adding the API key to the source code of any page running the MailChimp block. This makes it possible for unauthenticated attackers to obtain a site's MailChimp API key. We recommend resetting any MailChimp API keys if running a vulnerable version of this plugin with the MailChimp block enabled as the API key may have been compromised. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2938619%40royal-elementor-addons&new=2936984%40royal-elementor-addons&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/86c9bcf1-c69e-47ca-b74b-8ce6157f520b?source=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4707 – Royal Elementor Addons <= 1.3.59 - Cross-Site Request Forgery to Menu Template creation
https://notcve.org/view.php?id=CVE-2022-4707
The Royal Elementor Addons plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.59. This is due to missing nonce validation in the 'wpr_create_mega_menu_template' AJAX function. This allows unauthenticated attackers to create Mega Menu templates, granted they can trick an administrator into performing an action, such as clicking a link. WordPress Royal Elementor add-ons versions 1.3.59 and below suffer from cross site request forgery, insufficient access control, cross site scripting vulnerabilities. • https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/admin/mega-menu.php?rev=2809656 https://www.wordfence.com/blog/2023/01/eleven-vulnerabilities-patched-in-royal-elementor-addons https://www.wordfence.com/threat-intel/vulnerabilities/id/55db7d81-7ffb-49da-b64e-23e892bddc57 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4701 – Royal Elementor Addons <= 1.3.59 - Insufficient Access Control to Plugin Activation
https://notcve.org/view.php?id=CVE-2022-4701
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_activate_required_plugins' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to activate the 'contact-form-7', 'media-library-assistant', or 'woocommerce' plugins if they are installed on the site. WordPress Royal Elementor add-ons versions 1.3.59 and below suffer from cross site request forgery, insufficient access control, cross site scripting vulnerabilities. • https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/admin/templates-kit.php?rev=2833046 https://www.wordfence.com/blog/2023/01/eleven-vulnerabilities-patched-in-royal-elementor-addons https://www.wordfence.com/threat-intel/vulnerabilities/id/55f7e39b-e7a5-462b-b1e4-c3d92038f17e • CWE-285: Improper Authorization •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4704 – Royal Elementor Addons <= 1.3.59 - Insufficient Access Control to Template Import
https://notcve.org/view.php?id=CVE-2022-4704
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_import_templates_kit' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to import preset site configuration templates including images and settings. WordPress Royal Elementor add-ons versions 1.3.59 and below suffer from cross site request forgery, insufficient access control, cross site scripting vulnerabilities. • https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/admin/templates-kit.php?rev=2833046 https://www.wordfence.com/blog/2023/01/eleven-vulnerabilities-patched-in-royal-elementor-addons https://www.wordfence.com/threat-intel/vulnerabilities/id/64cce528-0ad0-45ec-a8f6-e8791b0bece0 • CWE-284: Improper Access Control •