WordPress Plugin Vulnerabilities

Royal Elementor Addons and Templates < 1.3.88 - Multiple Cross-Site Request Forgery

Description

The plugin is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.87. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to perform actions on the site via forged requests granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
royal-elementor-addons
Fixed in 1.3.88

References

CVE
CVE-2024-0514
CVE
CVE-2024-0515
CVE
CVE-2024-0513
CVE
CVE-2024-0512
CVE
CVE-2024-0511
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/royal-elementor-addons/royal-elementor-addons-and-templates-1387-cross-site-request-forgery-via-add-to-compare
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/royal-elementor-addons/royal-elementor-addons-and-templates-1387-cross-site-request-forgery-via-remove-from-compare
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/royal-elementor-addons/royal-elementor-addons-and-templates-1387-cross-site-request-forgery-via-remove-from-wishlist
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/royal-elementor-addons/royal-elementor-addons-and-templates-1387-cross-site-request-forgery-via-add-to-wishlist
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/royal-elementor-addons/royal-elementor-addons-and-templates-1387-cross-site-request-forgery-via-wpr-update-form-action-meta

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
71910e75-2ac7-4da0-b224-675236b36733

Timeline

Publicly Published
2024-02-07 (about 2 years ago)
Added
2024-02-09 (about 2 years ago)
Last Updated
2024-02-09 (about 2 years ago)

Other

Published
Title
Published
2024-10-18
Title
APA Register Newsletter Form <= 1.0.0 - Cross-Site Request Forgery to SQL Injection
Published
2023-12-28
Title
WPC Product Bundles for WooCommerce < 7.3.2 - Cross-Site Request Forgery
Published
2024-06-12
Title
Himer - Social Questions and Answers < 2.1.1 - Arbitrary Group Joining via CSRF
Published
2024-04-12
Title
BEAF < 4.5.5 - Cross-Site Request Forgery to Notice Dismissal
Published
2025-03-07
Title
Wishlist for WooCommerce: Multi Wishlists Per Customer < 3.1.8 - Cross-Site Request Forgery to Cross-Site Scriping via Wishlist Name