WordPress Plugin Vulnerabilities

Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Theme Activation

Description

The plugin does not have authorisation and CSRF checks when activating themes, which could allow any authenticated user, such as subscriber to perform such action

Affects Plugins

Plugin icon
royal-elementor-addons
Fixed in 1.3.60

References

CVE
CVE-2022-4700
URL
https://www.wordfence.com/blog/2023/01/eleven-vulnerabilities-patched-in-royal-elementor-addons/

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Ramuel Gall
Verified
No
WPVDB ID
c8ecb8f5-e595-4208-bda9-17ac2a832ca1

Timeline

Publicly Published
2023-01-10 (about 3 years ago)
Added
2023-01-10 (about 3 years ago)
Last Updated
2023-01-10 (about 3 years ago)

Other

Published
Title
Published
2023-11-07
Title
Auto Tag Creator <= 1.0.2 - Missing Authorization via tag_save_settings_callback
Published
2023-03-21
Title
JS Job Manager < 2.0.1 - Missing Authorization
Published
2023-12-05
Title
Webflow Pages < 1.1.0 - Missing Authorization
Published
2025-10-15
Title
Cost Calculator Builder < 3.5.33 - Missing Authorization
Published
2023-11-27
Title
Qode Essential Addons < 1.5.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation