CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4705 – Royal Elementor Addons <= 1.3.59 - Insufficient Access Control to Template Activation
https://notcve.org/view.php?id=CVE-2022-4705
10 Jan 2023 — The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_final_settings_setup' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to finalize activation of preset site configuration templates, which can be chosen and imported via a separate action documented in CVE-2022-4704. WordPress Royal Elementor add-ons versions 1.3.59 and below suffer from cross site request forger... • https://packetstorm.news/files/id/170459 • CWE-284: Improper Access Control •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4707 – Royal Elementor Addons <= 1.3.59 - Cross-Site Request Forgery to Menu Template creation
https://notcve.org/view.php?id=CVE-2022-4707
10 Jan 2023 — The Royal Elementor Addons plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.59. This is due to missing nonce validation in the 'wpr_create_mega_menu_template' AJAX function. This allows unauthenticated attackers to create Mega Menu templates, granted they can trick an administrator into performing an action, such as clicking a link. WordPress Royal Elementor add-ons versions 1.3.59 and below suffer from cross site request forgery, insufficient access con... • https://packetstorm.news/files/id/170459 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4708 – Royal Elementor Addons <= 1.3.59 - Insufficient Access Control to Template Conditions Modification
https://notcve.org/view.php?id=CVE-2022-4708
10 Jan 2023 — The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_save_template_conditions' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to modify the conditions under which templates are displayed. WordPress Royal Elementor add-ons versions 1.3.59 and below suffer from cross site request forgery, insufficient access control, cross site scripting vulnerabilities. • https://packetstorm.news/files/id/170459 • CWE-284: Improper Access Control •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4709 – Royal Elementor Addons <= 1.3.59 - Insufficient Access Control to Template Kit Import
https://notcve.org/view.php?id=CVE-2022-4709
10 Jan 2023 — The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_import_library_template' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to import and activate templates from the plugin's template library. WordPress Royal Elementor add-ons versions 1.3.59 and below suffer from cross site request forgery, insufficient access control, cross site scripting vulnerabilities. • https://packetstorm.news/files/id/170459 • CWE-284: Improper Access Control •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4710 – Royal Elementor Addons <= 1.3.59 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-4710
10 Jan 2023 — The Royal Elementor Addons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.3.59, due to due to insufficient input sanitization and output escaping of the 'wpr_ajax_search_link_target' parameter in the 'data_fetch' function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This is occurring because 'sanit... • https://packetstorm.news/files/id/170459 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2022-4711 – Royal Elementor Addons <= 1.3.59 - Insufficient Access Control to Menu Settings Update
https://notcve.org/view.php?id=CVE-2022-4711
10 Jan 2023 — The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_save_mega_menu_settings' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to enable and modify Mega Menu settings for any menu item. El complemento Royal Elementor Addons para WordPress es vulnerable a un control de acceso insuficiente en la acción AJAX 'wpr_save_mega_menu_settings' en versiones hasta la 1.3.59 in... • https://packetstorm.news/files/id/170459 • CWE-284: Improper Access Control •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4102 – Royal Elementor Addons < 1.3.56 - Subscriber+ Arbitrary Post Deletion
https://notcve.org/view.php?id=CVE-2022-4102
15 Dec 2022 — The Royal Elementor Addons WordPress plugin before 1.3.56 does not have authorization and CSRF checks when deleting a template and does not ensure that the post to be deleted is a template. This could allow any authenticated users, such as subscribers, to delete arbitrary posts assuming they know the related slug. El complemento Royal Elementor Addons de WordPress anterior a 1.3.56 no tiene autorización y verifica CSRF al eliminar una plantilla y no garantiza que la publicación que se eliminará sea una plan... • https://wpscan.com/vulnerability/c177f763-0bb5-4734-ba2e-7ba816578937 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4103 – Royal Elementor Addons < 1.3.56 - Subscriber+ Arbitrary Post Creation
https://notcve.org/view.php?id=CVE-2022-4103
15 Dec 2022 — The Royal Elementor Addons WordPress plugin before 1.3.56 does not have authorisation and CSRF checks when creating a template, and does not ensure that the post created is a template. This could allow any authenticated users, such as subscriber to create a post (as well as any post type) with an arbitrary title El complemento Royal Elementor Addons de WordPress anterior a 1.3.56 no tiene autorización ni verificaciones CSRF al crear una plantilla, y no garantiza que la publicación creada sea una plantilla. ... • https://wpscan.com/vulnerability/5e1244f7-39b5-4f37-8fef-e3f35fc388f1 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •