Royal Elementor Kit < 1.0.117 – Missing Authorization to Arbitrary Transient Update | CVE 2024-0835 | Theme Vulnerabilities

Description

The Royal Elementor Kit theme for WordPress is vulnerable to unauthorized arbitrary transient update due to a missing capability check on the dismissed_handler function in all versions up to, and including, 1.0.116. This makes it possible for authenticated attackers, with subscriber access or higher, to update arbitrary transients. Note, that these transients can only be updated to true and not arbitrary values.

Affects Themes

royal-elementor-kit

Fixed in 1.0.117

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/603b6c52-48eb-4e8c-a2c1-77b12a2b1a2c

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Sean Murphy

Verified

No

WPVDB ID

847c02f4-9472-41d7-ab8a-a36be0a15f52

Timeline

Publicly Published

2024-02-05 (about 2 years ago)

Added

2024-02-09 (about 2 years ago)

Last Updated

2024-02-09 (about 2 years ago)

Other

Published

Title

Published

2024-11-15

Title

Popup Box – Create Countdown, Coupon, Video, Contact Form Popups < 4.9.8 - Missing Authorization to Unauthenticated Limited Options Update

Published

2025-03-31

Title

CF7 Spreadsheets <= 2.3.2 - Missing Authorization to Settings Update

Published

2025-04-29

Title

WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin < 14.13.4 - Subscriber+ Arbitrary Plugin Settings Update

Published

2024-06-06

Title

GDPR/CCPA Cookie Consent Banner < 3.2.1 - Missing Authorization via handle_consent_toggle()

Published

2026-02-10

Title

Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) < 4.9.61 - Missing Authorization to Unauthenticated Arbitrary Attachment and Dropbox File Deletion