WordPress Royal Elementor 1.3.59 XSS / CSRF / Insufficient Access Controls

On December 23, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a set of 11 vulnerabilities in Royal Elementor Addons, a WordPress plugin with over 100,000 installations. The plugin developers responded on December 26, and we sent over the full disclosure that day. We released a firewall rule protecting against these vulnerabilities to Wordfence Premium, Care, and Response customers on December 23, 2022. Sites still running the free version of Wordfence will receive the same protection 30 days later, on January 22, 2023. While none of the vulnerabilities were critical, several of them could have been used by any authenticated user to modify content, disable plugins, or even temporarily take down the site in some circumstances. Additionally one of the patched vulnerabilities was a Reflected Cross-Site Scripting vulnerability which could have been used to take over the site if an attacker was able to trick an administrator into performing an action, such as clicking a link. This email content has also been published on our blog and you're welcome to post a comment there if you'd like to join the conversation. Or you can read the full post in this email. Vulnerability Details The primary set of issues we found with Royal Elementor Addons was due to a lack of access control and nonce checks on various AJAX actions in the plugin. Description: Insufficient Access Control to Theme Activation Affected Plugin: Royal Elementor Addons Plugin Slug: royal-elementor-addons Affected Versions:

Support the originator by clicking the read the rest link below.