Lucene search

WordfenceCVELIST:CVE-2022-4709

HistoryJan 10, 2023 - 4:55 p.m.

CVE-2022-4709

2023-01-1016:55:00

Wordfence

www.cve.org

wordpress

vulnerability

access control

ajax

templates

library

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.5%

JSON

The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the ‘wpr_import_library_template’ AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to import and activate templates from the plugin’s template library.

CNA Affected

[
  {
    "vendor": "wproyal",
    "product": "Royal Elementor Addons (Elementor Templates, Post Grid, Mega Menu & Header Footer Builder, WooCommerce Builder, Product Grid, Slider, Parallax Image & other Free Elementor Widgets)",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.3.59",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/admin/includes/wpr-templates-actions.php?rev=2834217

www.wordfence.com/blog/2023/01/eleven-vulnerabilities-patched-in-royal-elementor-addons/

www.wordfence.com/threat-intel/vulnerabilities/id/fa530112-a7cd-4c54-aa87-9e7337d01557

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.5%

JSON

Related for CVELIST:CVE-2022-4709