The Wordfence Threat Intelligence team discovered 11 vulnerabilities in Royal Elementor Addons, a WordPress plugin with over 100,000 installations.

While none of the vulnerabilities were critical, several of them could have been used by any authenticated user to modify content, disable plugins, or even temporarily take down the site in some circumstances.

Additionally one of the patched vulnerabilities was a Reflected Cross-Site Scripting vulnerability which could have been used to take over the site if an attacker was able to trick an administrator into performing an action, such as clicking a link.

Vulnerability Details

The primary set of issues with Royal Elementor Addons was due to a lack of access control and nonce checks on various AJAX actions in the plugin.

Description: Insufficient Access Control to Theme Activation
Affected Plugin: Royal Elementor Addons
Plugin Slug: royal-elementor-addons
Affected Versions: <= 1.3.59
CVE ID: CVE-2022-4700
CVSS Score: 5.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Researcher/s: Ramuel Gall
Fully Patched Version: 1.3.60

Royal Elementor Addons has an option to quickly activate the recommended Royal Elementor Kit theme. Unfortunately, this is performed via an AJAX function, wpr_activate_required_theme, which did not perform capability or nonce checks, or even check if the theme was installed on the site. This meant that any logged-in user, such as a subscriber, could change a vulnerable site’s theme. If the Royal Elementor Kit theme was not installed on the site, this would result in a loss of availability as the site would fail to load and instead display an error message.

READ
Critical Vulnerabilities Discovered in WordPress Plugin Fancy Product Designer Remain Unpatched

Description: Insufficient Access Control to Plugin Deactivation
Affected Plugin: Royal Elementor Addons
Plugin Slug: royal-elementor-addons
Affected Versions: <= 1.3.59
CVE ID: CVE-2022-4702
CVSS Score: 5.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Researcher/s: Ramuel Gall
Fully Patched Version: 1.3.60

Royal Elementor Addons has an option to revert the site to a “compatible” state for imported templates via the wpr_fix_royal_compatibility AJAX function. This involves deactivating all but a short list of hard-coded plugins. As the function did not use capability or nonce checks, this means that any authenticated user could deactivate plugins necessary for site functionality as well as any security plugins that do not specifically block this action. This could cause the site to become unavailable or vulnerable to additional exploits.


Description: Insufficient Access Control to Template Import
Affected Plugin: Royal Elementor Addons
Plugin Slug: royal-elementor-addons
Affected Versions: <= 1.3.59
CVE ID: CVE-2022-4704
CVSS Score: 5.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Researcher/s: Ramuel Gall
Fully Patched Version: 1.3.60

Royal Elementor Addons allows importing preset templates via the wpr_import_templates_kit AJAX function. Vulnerable versions of the plugin do not include capability or nonce check for this function, so any authenticated user could import templates, potentially overwriting any existing templates.


Description: Insufficient Access Control to Plugin Activation
Affected Plugin: Royal Elementor Addons
Plugin Slug: royal-elementor-addons
Affected Versions: <= 1.3.59
CVE ID: CVE-2022-4701
CVSS Score: 4.3 (Low)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Researcher/s: Ramuel Gall
Fully Patched Version: 1.3.60

Royal Elementor Addons has an option to activate the ‘contact-form-7’, ‘media-library-assistant’, or ‘woocommerce’ plugins if they are installed on the site via the wpr_activate_required_plugins AJAX action, and this functionality was available to any logged-in user. Fortunately the impact of this vulnerability is quite minimal as it would only allow an attacker to activate three select plugins.

READ
Ukrainian Hacktivists Breach Russian ISP Nodex, Wipe Systems Clean

Description: Insufficient Access Control to Import Deletion
Affected Plugin: Royal Elementor Addons
Plugin Slug: royal-elementor-addons
Affected Versions: <= 1.3.59
CVE ID: CVE-2022-4703
CVSS Score: 4.3 (Low)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Researcher/s: Ramuel Gall
Fully Patched Version: 1.3.60

Royal Elementor Addons has an AJAX action, wpr_reset_previous_import, used to delete previously imported content when importing new content. However, since it is accessible to any authenticated user, this could be used to delete imported content without importing new content, potentially resulting in site availability issues.

Buy Me a Coffee

Description: Insufficient Access Control to Template Activation
Affected Plugin: Royal Elementor Addons
Plugin Slug: royal-elementor-addons
Affected Versions: <= 1.3.59
CVE ID: CVE-2022-4705
CVSS Score: 4.3 (Low)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Researcher/s: Ramuel Gall
Fully Patched Version: 1.3.60

Royal Elementor Addons uses the wpr_final_settings_setup AJAX action to finalize activation of preset site configuration templates, which can be chosen and imported via a separate action. As with the other vulnerabilities recorded here, any authenticated user could access this functionality, though the impact of this vulnerability was lower.


Description: Insufficient Access Control to Menu Settings Update
Affected Plugin: Royal Elementor Addons
Plugin Slug: royal-elementor-addons
Affected Versions: <= 1.3.59
CVE ID: CVE-2022-4711
CVSS Score: 4.3 (Low)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Researcher/s: Ramuel Gall
Fully Patched Version: 1.3.60

Royal Elementor Addons uses the wpr_save_mega_menu_settings AJAX action to update mega menu settings. As with the other vulnerabilities we found, this action called a function that did not include a capability check or a nonce check, so any authenticated user could update menu settings.

READ
Telefónica Confirms Internal Ticketing System Breach Following Data Leak

Description: Insufficient Access Control to Template Conditions Modification
Affected Plugin: Royal Elementor Addons
Plugin Slug: royal-elementor-addons
Affected Versions: <= 1.3.59
CVE ID: CVE-2022-4708
CVSS Score: 4.3 (Low)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Researcher/s: Ramuel Gall
Fully Patched Version: 1.3.60

Royal Elementor Addons uses the wpr_save_template_conditions AJAX action to save template conditions, determining when a given template will be displayed and used. The action called a function that was accessible to any authenticated user.


Description: Insufficient Access Control to Template Kit Import
Affected Plugin: Royal Elementor Addons
Plugin Slug: royal-elementor-addons
Affected Versions: <= 1.3.59
CVE ID: CVE-2022-4709
CVSS Score: 4.3 (Low)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Researcher/s: Ramuel Gall
Fully Patched Version: 1.3.60

Royal Elementor Addons uses the wpr_import_library_template AJAX action to import and activate templates from the plugin developers’ template library. As with other vulnerabilities reported here, the action called a function that did not include a capability or nonce check, allowing any authenticated user to access it.


The final vulnerabilities the team found did not exactly fit the pattern of the others – one was a lower-severity Cross-Site Request Forgery(CSRF) and the other, a higher-severity reflected Cross-Site Scripting(XSS).

Description: Cross-Site Request Forgery to Menu Template creation
Affected Plugin: Royal Elementor Addons
Plugin Slug: royal-elementor-addons
Affected Versions: <= 1.3.59
CVE ID: CVE-2022-4707
CVSS Score: 4.3 (Low)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Researcher/s: Ramuel Gall
Fully Patched Version: 1.3.60

Unlike the other AJAX actions, wpr_create_mega_menu_template, which is used to create new menu templates, did include access control. It was, however, still lacking a nonce check, so an attacker could trick a logged-in administrator into performing an action that would result in a menu template being created.

READ
Nominet Confirms Network Breach via Ivanti VPN Zero-Day Exploit

Description: Reflected Cross-Site Scripting
Affected Plugin: Royal Elementor Addons
Plugin Slug: royal-elementor-addons
Affected Versions: <= 1.3.59
CVE ID: CVE-2022-4710
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Ramuel Gall
Fully Patched Version: 1.3.60

Unlike all of the other vulnerabilities mentioned above, reflected cross-site scripting(XSS) can be used by an attacker to completely take over a website if they can trick a logged-in administrator into performing an action, such as clicking a link, by performing actions as that administrator, such as adding a new malicious administrator, or inserting a backdoor into a plugin or theme file.

Additionally, unauthenticated users could also be targeted by this to redirect them to a malicious website or perform actions in their browsers. In this case, the data_fetch function failed to escape the wpr_ajax_search_link_target parameter used to return search results.