CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-50442 – WordPress Royal Elementor Addons and Templates plugin <= 1.3.980 - XML External Entity (XXE) vulnerability
https://notcve.org/view.php?id=CVE-2024-50442
Improper Restriction of XML External Entity Reference vulnerability in WP Royal Royal Elementor Addons allows XML Injection.This issue affects Royal Elementor Addons: from n/a through 1.3.980. The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to External Entity Injection in all versions up to, and including, 1.3.980. This is due to improper restriction and sanitization on external entities. This makes it possible for authenticated attackers, with author-level access and above, to inject external entities and perform other attacks like SSRF and remote code execution in the proper configuration. • https://patchstack.com/database/vulnerability/royal-elementor-addons/wordpress-royal-elementor-addons-and-templates-plugin-1-3-980-xml-external-entity-xxe-vulnerability?_s_id=cve • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-44001 – WordPress Royal Elementor Addons and Templates plugin <= 1.3.982 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-44001
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Royal Royal Elementor Addons allows Stored XSS.This issue affects Royal Elementor Addons: from n/a through 1.3.982. The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.982 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/royal-elementor-addons/wordpress-royal-elementor-addons-and-templates-plugin-1-3-982-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4489 – Royal Elementor Addons and Templates <= 1.3.976 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Uploads
https://notcve.org/view.php?id=CVE-2024-4489
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘custom_upload_mimes’ function in versions up to, and including, 1.3.976 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Royal Elementor Addons and Templates para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de la función 'custom_upload_mimes' en versiones hasta la 1.3.976 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con permisos de nivel de colaborador y superiores, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.3.973/admin/templates-kit.php#L896 https://plugins.trac.wordpress.org/changeset/3097775 https://www.wordfence.com/threat-intel/vulnerabilities/id/57bf222b-5f49-46e2-be84-3e6444807096?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4488 – Royal Elementor Addons and Templates <= 1.3.976 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-4488
The Royal Elementor Addons and Templates for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘inline_list’ parameter in versions up to, and including, 1.3.976 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Los complementos Royal Elementor Addons and Templates para WordPress son vulnerables a Cross-Site Scripting Almacenado a través del parámetro 'inline_list' en versiones hasta la 1.3.976 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con permisos de nivel de colaborador y superiores, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/form-builder/widgets/wpr-form-builder.php#L3238 https://plugins.trac.wordpress.org/changeset/3097775 https://www.wordfence.com/threat-intel/vulnerabilities/id/cb0ac434-7e85-44d4-b21e-df462f63cd9c?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32786 – WordPress Royal Elementor Addons and Templates plugin <= 1.3.93 - IP Bypass vulnerability
https://notcve.org/view.php?id=CVE-2024-32786
Authentication Bypass by Spoofing vulnerability in WP Royal Royal Elementor Addons allows Functionality Bypass.This issue affects Royal Elementor Addons: from n/a through 1.3.93. La vulnerabilidad de omisión de autenticación mediante suplantación de identidad en WP Royal Elementor Addons permite la omisión de funcionalidad. Este problema afecta a Royal Elementor Addons: desde n/a hasta 1.3.93. The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 1.3.93 due to insufficient IP address validation. This makes it possible for unauthenticated attackers to spoof their IP adress. • https://patchstack.com/database/vulnerability/royal-elementor-addons/wordpress-royal-elementor-addons-and-templates-plugin-1-3-93-ip-bypass-vulnerability?_s_id=cve • CWE-290: Authentication Bypass by Spoofing CWE-348: Use of Less Trusted Source •