CVE-2022-4704

The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wprimporttemplateskit' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to import preset site...

CVE-2022-4708

The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wprsavetemplateconditions' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to modify the conditions und...

CVE-2022-4700

The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpractivaterequiredtheme' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to activate the...

CVE-2022-4103

The Royal Elementor Addons WordPress plugin before 1.3.56 does not have authorisation and CSRF checks when creating a template, and does not ensure that the post created is a template. This could allow any authenticated users, such as subscriber to create a post as well as any post type with an...

CVE-2022-4701

The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpractivaterequiredplugins' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to activate the...

CVE-2022-4710

The Royal Elementor Addons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.3.59, due to due to insufficient input sanitization and output escaping of the 'wprajaxsearchlinktarget' parameter in the 'datafetch' function. This makes it possibl...

CVE-2022-4703

The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wprresetpreviousimport' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to reset previously imported da...

CVE-2022-4707

The Royal Elementor Addons plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.59. This is due to missing nonce validation in the 'wprcreatemegamenutemplate' AJAX function. This allows unauthenticated attackers to create Mega Menu templates,...

CVE-2022-4709

The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wprimportlibrarytemplate' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to import and activate...

CVE-2022-4711

The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wprsavemegamenusettings' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to enable and modify Mega Menu...

CVE-2022-4705

The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wprfinalsettingssetup' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to finalize activation of preset...

CVE-2022-0683

The Essential Addons for Elementor Lite WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the settings parameter found in the /includes/Traits/Helper.php file which allows attackers to inject arbitrary web scripts onto a pages that executes...

CVE-2022-0320

The Essential Addons for Elementor WordPress plugin before 5.0.5 does not validate and sanitise some template data before it them in include statements, which could allow unauthenticated attackers to perform Local File Inclusion attack and read arbitrary files on the server, this could also lead ...

CVE-2021-25027

The PowerPack Addons for Elementor WordPress plugin before 2.6.2 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting issue...

CVE-2021-24273

The “Clever Addons for Elementor” WordPress Plugin before 2.1.0 has several widgets that are vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, all via a similar method...

CVE-2021-24271

The “Ultimate Addons for Elementor” WordPress Plugin before 1.30.0 has several widgets that are vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, all via a similar method...

CVE-2021-24359

The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.11 did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a registered user on behalf of the WordPress site. Such issue could b...

CVE-2021-24292

The Happy Addons for Elementor WordPress plugin before 2.24.0, Happy Addons Pro for Elementor WordPress plugin before 1.17.0 have a number of widgets that are vulnerable to stored Cross-Site ScriptingXSS by lower-privileged users such as contributors, all via a similar method: The “Card” widget...

CVE-2021-4332

The Plus Addons for Elementor plugin for WordPress is vulnerable to arbitrary file reads in versions up to, and including 4.1.9 pro and 2.0.6 free. The plugin has a feature to add an "Info Box" to an Elementor created page. This Info Box can include an SVG image for the box. Unfortunately, the...

CVE-2021-24261

The “HT Mega – Absolute Addons for Elementor Page Builder” WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, all via a similar method...