Description
The Royal Addons for Elementor plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.7.1049. This is due to insufficient file type validation detecting files named main.php, allowing a file with such a name to bypass sanitization. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2026-03-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Royal Addons for Elementor plugin for WordPress allows an authenticated attacker with author-level access or higher to upload a file named main.php due to insufficient file type validation in the main.php upload handler. This arbitrary file upload vulnerability corresponds to CWE-434 (Improper Validation of File Type or Extension) and can result in remote code execution if the uploaded file contains executable PHP code. The flaw directly exposes the server’s file system to unauthorized code execution, potentially compromising the entire site.

Affected Systems

All releases of the Royal Addons for Elementor – Addons and Templates Kit for Elementor up to and including version 1.7.1049 are vulnerable. The plugin is distributed by wproyal. No information indicates that versions newer than 1.7.1049 address the issue, so any deployment using a version at or below this threshold is at risk.

Risk and Exploitability

The vulnerability has a CVSS score of 8.8, indicating high severity. The EPSS score is reported as less than 1%, suggesting a low probability of widespread exploitation in the wild. It is not listed in the CISA KEV catalog. Exploitation requires valid site credentials with author-level or higher privileges, making the attack vector internal. While the impact is high for privileged accounts, the overall risk scope is limited to sites that have not patched or removed the affected plugin.

Generated by OpenCVE AI on March 17, 2026 at 15:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Royal Addons for Elementor to the latest release (greater than 1.7.1049).
  • If an update cannot be performed immediately, remove the plugin or disable it entirely.
  • Restrict author-level or higher user permissions on the site to prevent unauthorized file uploads.

Generated by OpenCVE AI on March 17, 2026 at 15:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wproyal
Wproyal royal Addons For Elementor – Addons And Templates Kit For Elementor
Vendors & Products Wordpress
Wordpress wordpress
Wproyal
Wproyal royal Addons For Elementor – Addons And Templates Kit For Elementor

Wed, 11 Mar 2026 04:30:00 +0000

Type Values Removed Values Added
Description The Royal Addons for Elementor plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.7.1049. This is due to insufficient file type validation detecting files named main.php, allowing a file with such a name to bypass sanitization. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Royal Addons for Elementor <= 1.7.1049 - Authenticated (Author+) Arbitrary File Upload via main.php Upload Bypass
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
Wproyal Royal Addons For Elementor – Addons And Templates Kit For Elementor
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-11T15:39:46.804Z

Reserved: 2025-11-12T13:35:40.830Z

Link: CVE-2025-13067

cve-icon Vulnrichment

Updated: 2026-03-11T15:39:29.689Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T05:17:46.027

Modified: 2026-03-11T13:52:47.683

Link: CVE-2025-13067

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:56Z

Weaknesses