WordPress Plugin Vulnerabilities

Royal Elementor Addons < 1.3.981 - Authenticated (Author+) External Entity Injection

Description

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to External Entity Injection in all versions up to, and including, 1.3.980. This is due to improper restriction and sanitization on external entities. This makes it possible for authenticated attackers, with author-level access and above, to inject external entities and perform other attacks like SSRF and remote code execution in the proper configuration.

Affects Plugins

Plugin icon
royal-elementor-addons
Fixed in 1.3.981

References

CVE
CVE-2024-50442
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/30a89e75-2ab1-4e65-8646-b100efed5dbd

Classification

Type
XXE
OWASP top 10
A4: XML External Entities (XXE)
CWE
CWE-611
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
eecf12c6-9b69-4bd0-9d9e-d90d8081cf12

Timeline

Publicly Published
2024-10-24 (about 1 year ago)
Added
2024-10-31 (about 1 year ago)
Last Updated
2024-10-31 (about 1 year ago)

Other

Published
Title
Published
2014-08-01
Title
Advanced XML Reader 0.3.4 - XML External Entity (XXE) Injection
Published
2013-06-21
Title
WordPress 3.5-3.5.1 oEmbed Unspecified XML External Entity (XXE)
Published
2014-09-16
Title
WordPress 3.6 - 3.9.1 XXE in GetID3 Library
Published
2026-01-16
Title
Demo Importer Plus < 2.0.10 - Authenticated (Author+) Blind XML External Entity Injection via SVG File Upload
Published
2015-06-10
Title
WooCommerce 2.0.20-2.3.10 - Object Injection / XXE