CVE-2022-4702

2023-01-1017:15:11

[email protected]

web.nvd.nist.gov

royal elementor addons

wordpress

vulnerability

insufficient access control

nvd

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

38.1%

JSON

The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the ‘wpr_fix_royal_compatibility’ AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to deactivate every plugin on the site unless it is part of an extremely limited hardcoded selection. This also switches the site to the ‘royal-elementor-kit’ theme, potentially resulting in availability issues.

Affected configurations

Vulners

NVD

Node

wproyalroyal_elementor_addons_\(elementor_templates\,_post_grid\,_mega_menu_\&_header_footer_builder\,_woocommerce_builder\,_product_grid\,_slider\,_parallax_image_\&_other_free_elementor_widgets\)Range≤1.3.59

CPENameOperatorVersion
royal-elementor-addons:royal_elementor_addonsroyal-elementor-addons royal elementor addonsle1.3.59

CPE	Name	Operator	Version
royal-elementor-addons:royal_elementor_addons	royal-elementor-addons royal elementor addons	le	1.3.59

CNA Affected

[
  {
    "vendor": "wproyal",
    "product": "Royal Elementor Addons (Elementor Templates, Post Grid, Mega Menu & Header Footer Builder, WooCommerce Builder, Product Grid, Slider, Parallax Image & other Free Elementor Widgets)",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.3.59",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]