![Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]](https://www.ineedhack.com/wp-content/uploads/2023/01/Course-content-16-360x180.png)
The Wordfence Threat Intelligence Team initiated the responsible disclosure process on December 23rd 2022 for 11 vulnerabilities in Royal Elementor Addons. This plugin has over 100,000 installs. We received the complete disclosure from them on December 26th.
On December 23rd 2022, we released a firewall that protects against such vulnerabilities for Wordfence Premium, Care and Response customers. Wordfence Premium, Care and Response customers will continue to receive protection for 30 days. The new firewall rule will be effective on January 22, 2023.
Although none of these vulnerabilities are critical, any authorized user could use several to alter content, disable plugins or temporarily shut down the website in certain circumstances. A Reflected Cross Site Scripting vulnerability was also fixed. This could have allowed an attacker to hijack the administrator’s actions, like clicking a link.
You can also find this email content on our blog. Feel free to leave a comment here if you want to be part of the discussion. You can also read the entire email.
Information about vulnerability
Royal Elementor Addons had a number of problems that we could not find. These were due to the lack of access control or nonce checking on different AJAX actions within the plugin.
Description: There is insufficient access control to activate the theme
Affected Plugin: Royal Elementor Addons
Plugin Slug: royal-elementor-addons
Affected Versions:
CVE ID CVE-202-2700
CVSS Score: Medium
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Ramuel Gall is a researcher
Fully Patented Version: 1.3.60
Royal Elementor Addons offers an easy way to activate the Royal Elementor Kit recommended theme. Unfortunately, this is performed via an AJAX function, wpr_activate_required_theme, which did not perform capability or nonce checks, or even check if the theme was installed on the site. Any logged in user (such as a subscriber) could modify the theme of a vulnerable website. The Royal Elementor Kit would not be installed, resulting in the site failing to load or showing an error message.
Description: Insufficient access control to deactivate plugin
Affected Plugin: Royal Elementor Addons
Plugin Slug: royal-elementor-addons
Versions Affected: =1.3.59
CVE ID CVE-2022-4722.
CVSS Score: Medium at 5.4
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Ramuel Gall is a researcher
Fully Patented Version: 1.3.60
Royal Elementor Addons has an option to revert the site to a “compatible” state for imported templates via the wpr_fix_royal_compatibility AJAX function. It involves the deactivation of all plugins, except a few that are hard-coded. Since the function didn’t use nonce or capability checks, any authorized user can deactivate any plugins required for site functionality. This includes security plugins that don’t block that action. The site could be made inaccessible or more vulnerable.
Description: Importing Templates requires insufficient access control
Affected Plugin: Royal Elementor Addons
Plugin Slug: royal-elementor-addons
Versions Affected: =1.3.59
CVE ID CVE-2022-4744.
CVSS Score: Medium: 5.4
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Ramuel Gall is a researcher
Fully Patented Version: 1.3.60
Royal Elementor Addons allows importing preset templates via the wpr_import_templates_kit AJAX function. The plugin’s vulnerable versions do not have capability and nonce checks. Any authenticated user can import templates. This could potentially cause overwriting of existing templates.
Description: Insufficient access control to activate plugin
Affected Plugin: Royal Elementor Addons
Plugin Slug: royal-elementor-addons
Versions Affected: =1.3.59
CVE ID CVE-2022-471
CVSS Score: Low (4.3)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Ramuel Gall is a researcher
Fully Patented Version: 1.3.60
Royal Elementor Addons has an option to activate the ‘contact-form-7’, ‘media-library-assistant’, or ‘woocommerce’ plugins if they are installed on the site via the wpr_activate_required_plugins AJAX action, and this functionality was available to any logged-in user. This vulnerability has very little impact as an attacker would be able to activate only three plugins.
Description: Import deletion is not possible due to insufficient access control
Affected Plugin: Royal Elementor Addons
Plugin Slug: royal-elementor-addons
Versions Affected: =1.3.59
CVE ID CVE-2022-47303.
CVSS Score: Low: 4.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Ramuel Gall is a researcher
Fully Patented Version: 1.3.60
Royal Elementor Addons has an AJAX action, wpr_reset_previous_import, used to delete previously imported content when importing new content. It is available to all authenticated users, so it could be used to delete previously imported content and not import new content. This may lead to site accessibility issues.
Description: Template activation not activated due to insufficient access control
Affected Plugin: Royal Elementor Addons
Plugin Slug: royal-elementor-addons
Affected Versions:
CVE ID CVE-2022-4755.
CVSS Score: Low (4.3)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Ramuel Gall is a researcher
Fully Patented Version: 1.3.60
Royal Elementor Addons uses the wpr_final_settings_setup AJAX action to finalize activation of preset site configuration templates, which can be chosen and imported via a separate action. This vulnerability, like the others, could be accessed by any authorized user. However, the impact was less.
Description: Menu settings update not accessible
Affected Plugin: Royal Elementor Addons
Plugin Slug: royal-elementor-addons
Versions Affected: =1.3.59
CVE ID CVE-2022-47111.
CVSS Score: Low (4.3)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Ramuel Gall is a researcher
Fully Patented Version: 1.3.60
Royal Elementor Addons uses the wpr_save_mega_menu_settings AJAX action to update mega menu settings. This function, which we discovered was vulnerable, did not have a capability or nonce check. Any authenticated user could change menu settings.
Description: Modification of Template Conditions – Insufficient Access Control
Affected Plugin: Royal Elementor Addons
Plugin Slug: royal-elementor-addons
Versions Affected: =1.3.59
CVE ID CVE-2022-4788
CVSS Score: Low (4.3)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Ramuel Gall is a researcher
Fully Patented Version: 1.3.60
Royal Elementor Addons uses the wpr_save_template_conditions AJAX action to save template conditions, determining when a given template will be displayed and used. This action was called a function and it was available to all authenticated users.
Description: Importing a Template Kit requires insufficient access control
Affected Plugin: Royal Elementor Addons
Plugin Slug: royal-elementor-addons
Versions Affected: =1.3.59
CVE ID CVE-2022-4799.
CVSS Score: Low (4.3)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Ramuel Gall is a researcher
Version Fully Patched: 1.3.60
Royal Elementor Addons uses the wpr_import_library_template AJAX action to import and activate templates from the plugin developers’ template library. The action, called “a function”, did not contain a nonce or capability check and was accessible by any authorized user.
We found two vulnerabilities that did not match the previous ones: one was a Cross-Site Request Forgery (CSRF), and the second, a Cross-Site Scripting (XSS) of higher severity.
Description: Forgery of menu templates by cross-site request
Affected Plugin: Royal Elementor Addons
Plugin Slug: royal-elementor-addons
Versions Affected: =1.3.59
CVE ID CVE-2022-47707
CVSS Score: Low: 4.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Ramuel Gall is a researcher
Fully Patented Version: 1.3.60
Unlike the other AJAX actions we’ve mentioned so far, wpr_create_mega_menu_template, which is used to create new menu templates, did include access control. However, it was still missing a nonce-check, which allowed an attacker to trick an administrator logged in into creating a new menu template.
Description: Cross-Site Reflected Scripting
Affected Plugin: Royal Elementor Addons
Plugin Slug: royal-elementor-addons
Versions Affected: =1.3.59
CVE ID CVE-2022-4720
CVSS Score: 6. (Medium).
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Ramuel Gall is a researcher
Fully Patented Version: 1.3.60
An attacker can use reflected cross-siteScripting (XSS), to take control of a website. This is in contrast with other vulnerability mentioned. They can fool a logged in administrator into clicking on a link.
Unauthenticated users may also be targeted to perform malicious actions on their browsers or redirect them to malware websites. In this case, the data_fetch function failed to escape the wpr_ajax_search_link_target parameter used to return search results. Wordfence’s Cross-Site Scripting Protection protects all Wordfence users (even those who are not Wordfence members) against any exploits that target this rule.
Timeline
December 23, 2022: We publish a firewall to protect Wordfence Premium, Care and Response customers.
December 26, 2023: The plugin developer replies
December 29, 2023: A patched version of 1.3.60 is available
February 22, 2023: Wordfence Free users will have access to the Firewall Rule
Conclusion
Today’s article will cover 11 vulnerabilities found in Royal Elementor Addons. Although none of these vulnerabilities are considered critical, they can lead to severe consequences in certain situations.
Wordfence premium, care, and response users are protected from these vulnerabilities by the Wordfence firewall. Wordfence free users will be covered on January 22nd, 2023. However, it is strongly recommended that you update to the most current version (1.3.60) as soon as you can.
We offer Incident Response Services via Wordfence Care if you suspect that your website has been compromised by this vulnerability.
Wordfence Response is available 24/7/365 and offers a quick response. These products come with hands-on assistance in the event that you require further assistance. This announcement is for friends and colleagues that are currently using the plugin. Please share it with them. Encourage them to upgrade to the most current patched Royal Elementor Addons version as soon as they can.
Security researchers can disclose their findings to Wordfence and receive a CVE ID. You will also be listed on the Wordfence Intelligence Community Edition Leaderboard.
