CVE-2022-4709

2023-01-1017:15:11

[email protected]

web.nvd.nist.gov

wordpress

royal elementor addons

cve-2022-4709

access control

nvd

security vulnerability

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.5%

JSON

The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the ‘wpr_import_library_template’ AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to import and activate templates from the plugin’s template library.

Affected configurations

Vulners

NVD

Node

wproyalroyal_elementor_addons_\(elementor_templates\,_post_grid\,_mega_menu_\&_header_footer_builder\,_woocommerce_builder\,_product_grid\,_slider\,_parallax_image_\&_other_free_elementor_widgets\)Range≤1.3.59

CPENameOperatorVersion
royal-elementor-addons:royal_elementor_addonsroyal-elementor-addons royal elementor addonsle1.3.59

CPE	Name	Operator	Version
royal-elementor-addons:royal_elementor_addons	royal-elementor-addons royal elementor addons	le	1.3.59

CNA Affected

[
  {
    "vendor": "wproyal",
    "product": "Royal Elementor Addons (Elementor Templates, Post Grid, Mega Menu & Header Footer Builder, WooCommerce Builder, Product Grid, Slider, Parallax Image & other Free Elementor Widgets)",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.3.59",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]