CVE-2022-4711

2023-01-1017:15:11

[email protected]

web.nvd.nist.gov

wordpress

royal elementor addons

cve-2022-4711

access control

vulnerability

nvd

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

4.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

25.2%

JSON

The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the ‘wpr_save_mega_menu_settings’ AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to enable and modify Mega Menu settings for any menu item.

Affected configurations

Vulners

NVD

Node

wproyalroyal_elementor_addons_\(elementor_templates\,_post_grid\,_mega_menu_\&_header_footer_builder\,_woocommerce_builder\,_product_grid\,_slider\,_parallax_image_\&_other_free_elementor_widgets\)Range≤1.3.59

CPENameOperatorVersion
royal-elementor-addons:royal_elementor_addonsroyal-elementor-addons royal elementor addonslt1.3.60

CPE	Name	Operator	Version
royal-elementor-addons:royal_elementor_addons	royal-elementor-addons royal elementor addons	lt	1.3.60

CNA Affected

[
  {
    "vendor": "wproyal",
    "product": "Royal Elementor Addons (Elementor Templates, Post Grid, Mega Menu & Header Footer Builder, WooCommerce Builder, Product Grid, Slider, Parallax Image & other Free Elementor Widgets)",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.3.59",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]