Description
The Royal Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `wpr_update_form_action_meta` AJAX action in all versions up to, and including, 1.7.1056. The handler is registered on both `wp_ajax` and `wp_ajax_nopriv` hooks, making it accessible to unauthenticated users. Although a nonce is verified, the nonce (`wpr-addons-js`) is publicly exposed in frontend JavaScript via `WprConfig.nonce` on any page that loads Royal Addons widgets, rendering the protection ineffective. The endpoint also lacks any capability or ownership checks and directly calls `update_post_meta()` with user-controlled input on a whitelisted set of form action meta keys. This makes it possible for unauthenticated attackers to modify form action configuration metadata (email, submissions, Mailchimp, and webhook settings) on any post, potentially leading to webhook/email action tampering and data exfiltration via modified webhook URLs.
Published: 2026-05-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Royal Addons for Elementor plugin for WordPress suffers from a missing capability check on the wpr_update_form_action_meta AJAX action. The handler is registered on both authenticated and unauthenticated hooks and verifies a nonce that is publicly exposed in front‑end JavaScript, removing effective protection. Because the endpoint calls update_post_meta() directly with user‑controlled input for a set of form action meta keys, any unauthenticated visitor can alter critical form configuration data such as email recipients, Mailchimp lists, and webhook URLs. This can lead to unauthorized notifications or direct data exfiltration via hijacked webhook URLs.

Affected Systems

WordPress sites that have Royal Addons for Elementor – Addons and Templates Kit for Elementor version 1.7.1056 or earlier are affected. The flaw exists in all releases up to and including 1.7.1056; any site using one of those releases without an update is at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The flaw is exploitable by an unauthenticated attacker who merely visits a page that loads a Royal Addons widget; no login or privileged access is required. Once accessed, the attacker can modify sensitive form configuration data without restriction.

Generated by OpenCVE AI on May 2, 2026 at 11:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Royal Addons for Elementor to a version that includes the missing capability check; if a newer version is unavailable, obtain the vendor’s remediation or consider decommissioning the plugin.
  • If upgrade is not immediately possible, deny unauthenticated requests to the wp_ajax/wpr_update_form_action_meta endpoint by configuring the web server or firewall to block wp-admin/admin-ajax.php requests with action=wpr_update_form_action_meta from non‑logged‑in users.
  • After the technical fix, audit all form configurations on the site: review email recipients, webhook URLs, Mailchimp lists, and other action meta values, reset any that appear suspicious, and regenerate any credentials that might have been exposed.
  • Monitor access logs for repeated attempts to call the wpr_update_form_action_meta endpoint and set alerts for any unexpected activity.

Generated by OpenCVE AI on May 2, 2026 at 11:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wproyal
Wproyal royal Addons For Elementor – Addons And Templates Kit For Elementor
Vendors & Products Wordpress
Wordpress wordpress
Wproyal
Wproyal royal Addons For Elementor – Addons And Templates Kit For Elementor

Sat, 02 May 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Royal Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `wpr_update_form_action_meta` AJAX action in all versions up to, and including, 1.7.1056. The handler is registered on both `wp_ajax` and `wp_ajax_nopriv` hooks, making it accessible to unauthenticated users. Although a nonce is verified, the nonce (`wpr-addons-js`) is publicly exposed in frontend JavaScript via `WprConfig.nonce` on any page that loads Royal Addons widgets, rendering the protection ineffective. The endpoint also lacks any capability or ownership checks and directly calls `update_post_meta()` with user-controlled input on a whitelisted set of form action meta keys. This makes it possible for unauthenticated attackers to modify form action configuration metadata (email, submissions, Mailchimp, and webhook settings) on any post, potentially leading to webhook/email action tampering and data exfiltration via modified webhook URLs.
Title Royal Addons for Elementor <= 1.7.1056 - Missing Authorization to Unauthenticated Form Action Meta Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wproyal Royal Addons For Elementor – Addons And Templates Kit For Elementor
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-02T08:27:04.649Z

Reserved: 2026-03-11T20:30:55.411Z

Link: CVE-2026-4024

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T09:16:22.270

Modified: 2026-05-02T09:16:22.270

Link: CVE-2026-4024

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T12:00:14Z

Weaknesses