An inclusion of functionality from the untrusted control sphere in the Royal Elementor Addons plugin permits attackers to invoke functions that are not properly constrained by access control lists. This flaw effectively allows unauthorized users to execute privileged operations within the WordPress site, potentially compromising site integrity. The vulnerability is rated high with a CVSS score of 8.2 and signals that any user with access to the plugin’s API could leverage the flaw.

WordPress plugin WP Royal:Royal Elementor Addons, versions from any prior release through and including 1.7.1052.

The CVSS score of 8.2 indicates high severity, while the EPSS score of less than 1% reflects very low but non‑zero exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote web interaction with the plugin’s exposed functionality; an attacker could send crafted requests to trigger the unprotected actions, elevating privileges or gaining unauthorized access to sensitive operations. The combination of high impact and low exploitation likelihood suggests monitoring, but prompt remediation is still warranted.