WordPress Plugin Vulnerabilities

Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Plugin Deactivation

Description

The plugin does not have authorisation and CSRF checks when deactivating plugins, which could allow any authenticated user, such as subscriber to perform such action

Affects Plugins

Plugin icon
royal-elementor-addons
Fixed in 1.3.60

References

CVE
CVE-2022-4702
URL
https://www.wordfence.com/blog/2023/01/eleven-vulnerabilities-patched-in-royal-elementor-addons/

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Ramuel Gall
Verified
No
WPVDB ID
3667a8a6-d914-4275-932f-467ba5c8bdf1

Timeline

Publicly Published
2023-01-10 (about 3 years ago)
Added
2023-01-10 (about 3 years ago)
Last Updated
2023-01-10 (about 3 years ago)

Other

Published
Title
Published
2026-01-27
Title
Database for Contact Form 7, WPforms, Elementor forms < 1.4.6 - Missing Authorization to Unauthenticated Form Data Exfiltration via CSV Export
Published
2022-02-14
Title
Smart Forms < 2.6.71 - Subscriber+ Form Data Download
Published
2024-02-20
Title
Enjoy Social Feed <= 6.2.2 - Unauthenticated Arbitrary Instagram Account Unlinking
Published
2025-10-30
Title
ERI File Library < 1.1.1 - Missing Authorization to Unauthenticated Protected File Download
Published
2025-06-12
Title
Traffic Monitor < 3.2.3 - Missing Authorization to Unauthenticated Settings Update