CVE-2022-4704

2023-01-1017:15:11

[email protected]

web.nvd.nist.gov

cve-2022-4704

royal elementor addons

wordpress

vulnerability

insufficient access control

nvd

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

5.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

38.1%

JSON

The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the ‘wpr_import_templates_kit’ AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to import preset site configuration templates including images and settings.

Affected configurations

Vulners

NVD

Node

wproyalroyal_elementor_addons_\(elementor_templates\,_post_grid\,_mega_menu_\&_header_footer_builder\,_woocommerce_builder\,_product_grid\,_slider\,_parallax_image_\&_other_free_elementor_widgets\)Range≤1.3.59

CPENameOperatorVersion
royal-elementor-addons:royal_elementor_addonsroyal-elementor-addons royal elementor addonsle1.3.59

CPE	Name	Operator	Version
royal-elementor-addons:royal_elementor_addons	royal-elementor-addons royal elementor addons	le	1.3.59

CNA Affected

[
  {
    "vendor": "wproyal",
    "product": "Royal Elementor Addons (Elementor Templates, Post Grid, Mega Menu & Header Footer Builder, WooCommerce Builder, Product Grid, Slider, Parallax Image & other Free Elementor Widgets)",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.3.59",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]