NotCVE - vendor:"Wproyal" product:"Royal Elementor Addons And Templates" version:" <= 1.3.986"

Page 3 of 19 results (0.015 seconds)

CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-1567 – Royal Elementor Addons and Templates <= 1.3.94 - Unauthenticated Limited File Upload

https://notcve.org/view.php?id=CVE-2024-1567

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to limited file uploads due to missing file type validation in the 'file_validity' function in all versions up to, and including, 1.3.94. This makes it possible for unauthenticated attackers to upload dangerous file types such as .svgz on the affected site's server which may make cross-site scripting or remote code execution possible. El complemento Royal Elementor Addons and Templates para WordPress es vulnerable a cargas de archivos limitadas debido a la falta de validación del tipo de archivo en la función 'file_validity' en todas las versiones hasta la 1.3.94 incluida. Esto hace posible que atacantes no autenticados carguen tipos de archivos peligrosos como .svgz en el servidor del sitio afectado, lo que puede hacer posible la ejecución remota de código o cross-site scripting. • https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.3.89/classes/modules/forms/wpr-file-upload.php#L105 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.3.90/classes/modules/forms/wpr-file-upload.php https://plugins.trac.wordpress.org/changeset/3056612/royal-elementor-addons/tags/1.3.95/classes/modules/forms/wpr-file-upload.php?old=3055840&old_path=royal-elementor-addons%2Ftags%2F1.3.94%2Fclasses%2Fmodules%2Fforms%2Fwpr-file-upload.php https://www.wordfence& • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-1500 – Royal Elementor Addons and Templates <= 1.3.91 - Authenticated (Contributor+) Stored Cross-Site Scripting via Logo Widget

https://notcve.org/view.php?id=CVE-2024-1500

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Logo Widget in all versions up to, and including, 1.3.91 due to insufficient input sanitization and output escaping on user supplied URLs. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Royal Elementor Addons and Templates para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del widget de logotipo en todas las versiones hasta la 1.3.91 incluida debido a una sanitización de entrada insuficiente y a un escape de salida en las URL proporcionadas por el usuario. Esto hace posible que atacantes autenticados con permisos de nivel de colaborador y superiores inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/logo/widgets/wpr-logo.php#L644 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/logo/widgets/wpr-logo.php#L664 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3037411%40royal-elementor-addons%2Ftags%2F1.3.91&new=3038353%40royal-elementor-addons%2Ftags%2F1.3.92 https://www.wordfence.com/threat-intel/vulnerabilities/id/8619c999-5cf7-4888-bdb2-815238411303?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-0442 – Royal Elementor Addons and Templates <= 1.3.87 - Authenticated (Contributor+) Stored Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2024-0442

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via element URL parameters in all versions up to, and including, 1.3.87 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Royal Elementor Addons and Templates para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de parámetros de URL de elementos en todas las versiones hasta la 1.3.87 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados con acceso de colaborador o superior inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/changeset/3032004/royal-elementor-addons/tags/1.3.88/modules/advanced-slider/widgets/wpr-advanced-slider.php?old=3026824&old_path=royal-elementor-addons%2Ftags%2F1.3.87%2Fmodules%2Fadvanced-slider%2Fwidgets%2Fwpr-advanced-slider.php https://plugins.trac.wordpress.org/changeset/3032004/royal-elementor-addons/tags/1.3.88/modules/dual-button/widgets/wpr-dual-button.php?old=3026824&old_path=royal-elementor-addons%2Ftags%2F1.3.87%2Fmodules%2Fdual-button%2Fwidgets%2Fwpr-dual-button.php https: • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-0514 – Royal Elementor Addons and Templates <= 1.3.87 - Cross-Site Request Forgery via add_to_compare

https://notcve.org/view.php?id=CVE-2024-0514

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.87. This is due to missing or incorrect nonce validation on the add_to_compare function. This makes it possible for unauthenticated attackers to add items to user compare lists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El complemento Royal Elementor Addons and Templates para WordPress es vulnerable a la Cross-Site Request Forgery en todas las versiones hasta la 1.3.87 incluida. Esto se debe a una validación nonce faltante o incorrecta en la función add_to_compare. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3026824%40royal-elementor-addons%2Ftags%2F1.3.87&new=3032004%40royal-elementor-addons%2Ftags%2F1.3.88 https://www.wordfence.com/threat-intel/vulnerabilities/id/b0955689-43a0-442c-974b-5db5e4171f6a?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-0515 – Royal Elementor Addons and Templates <= 1.3.87 - Cross-Site Request Forgery via remove_from_compare

https://notcve.org/view.php?id=CVE-2024-0515

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.87. This is due to missing or incorrect nonce validation on the remove_from_compare function. This makes it possible for unauthenticated attackers to remove items from user compare lists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El complemento Royal Elementor Addons and Templates para WordPress es vulnerable a la Cross-Site Request Forgery en todas las versiones hasta la 1.3.87 incluida. Esto se debe a una validación nonce faltante o incorrecta en la función remove_from_compare. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3026824%40royal-elementor-addons%2Ftags%2F1.3.87&new=3032004%40royal-elementor-addons%2Ftags%2F1.3.88 https://www.wordfence.com/threat-intel/vulnerabilities/id/a4178271-c09e-4094-a616-5a00d28f39a3?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •

1 2 3 4