Description
Missing Authorization vulnerability in WProyal Royal Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Royal Elementor Addons: from n/a before 1.7.1053.
Published: 2026-05-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Royal Elementor Addons contains a Broken Access Control flaw. The plugin fails to enforce proper authorization checks, allowing an unauthenticated or low‑privilege user to act with higher privileges within the plugin. This can result in unauthorized viewing or modification of plugin settings and content, potentially affecting the confidentiality, integrity, or availability of the WordPress site. The weakness is identified as CWE‑862.

Affected Systems

The vulnerability affects all releases of Royal Elementor Addons with a version number less than 1.7.1053, including the original release. The plugin is distributed under the WProyal brand and is deployed on WordPress installations. A site that has not upgraded to 1.7.1053 or newer is at risk, regardless of other WordPress security measures.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk. No EPSS score is currently available, so the exact exploitation probability cannot be quantified, but the lack of a KEV listing reduces certainty of real‑world attacks. The flaw is likely exploitable remotely through legitimate WordPress web traffic, as the plugin’s admin interfaces are accessible to users who can achieve higher authority without proper checks. An attacker could use this to elevate privileges or steal data.

Generated by OpenCVE AI on May 7, 2026 at 09:23 UTC.

Remediation

Vendor Solution

Update the WordPress Royal Elementor Addons Plugin to the latest available version (at least 1.7.1053).

OpenCVE Recommended Actions

  • Update the Royal Elementor Addons plugin to version 1.7.1053 or later.
  • If an update cannot be applied immediately, temporarily disable the plugin’s administrative endpoints (or deactivate the plugin) to block unauthorized access.
  • Implement WordPress role‑based access controls and monitor for unusual activity on the plugin’s settings pages.

Generated by OpenCVE AI on May 7, 2026 at 09:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp Royal
Wp Royal royal Elementor Addons
Vendors & Products Wordpress
Wordpress wordpress
Wp Royal
Wp Royal royal Elementor Addons

Thu, 07 May 2026 08:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WProyal Royal Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Royal Elementor Addons: from n/a before 1.7.1053.
Title WordPress Royal Elementor Addons plugin < 1.7.1053 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
Wp Royal Royal Elementor Addons
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-07T07:34:02.310Z

Reserved: 2026-02-02T12:53:40.963Z

Link: CVE-2026-25436

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-07T09:16:26.923

Modified: 2026-05-07T14:00:48.567

Link: CVE-2026-25436

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T10:15:26Z

Weaknesses