WP-Safety
CVE-2026-28135

Royal Addons for Elementor – Addons and Templates Kit for Elementor <= 1.7.1052 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.7.1053
Patched in
48d
Time to patch

Description

The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.7.1052. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.7.1052
PublishedFebruary 26, 2026
Last updatedApril 14, 2026
Affected pluginroyal-elementor-addons

What Changed in the Fix

Changes introduced in v1.7.1053

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v1.7.1052
Browse source Download .zip
Patched v1.7.1053
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-28135 ## 1. Vulnerability Summary The **Royal Addons for Elementor** plugin (<= 1.7.1052) contains a missing authorization vulnerability in several AJAX handlers. Specifically, functions related to the **Mega Menu** and **Templates Kit** registration fail to …

Show full research plan

Exploitation Research Plan - CVE-2026-28135

1. Vulnerability Summary

The Royal Addons for Elementor plugin (<= 1.7.1052) contains a missing authorization vulnerability in several AJAX handlers. Specifically, functions related to the Mega Menu and Templates Kit registration fail to properly validate user capabilities. Although some handlers are registered only for authenticated users (wp_ajax_), others are registered for unauthenticated users (wp_ajax_nopriv_) or the plugin incorrectly exposes administrative nonces to the frontend, allowing unauthenticated attackers to trigger sensitive actions like creating new posts or modifying settings.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: wpr_create_mega_menu_template (Identified in admin/mega-menu.php)
  • Parameters:
    • action: wpr_create_mega_menu_template
    • nonce: A valid nonce for the wpr-mega-menu-js action.
    • item_id: A numeric ID representing a menu item (can be an arbitrary integer).
  • Authentication: Unauthenticated (per CVE description and CVSS Vector PR:N).
  • Preconditions: The plugin must be active, and a valid nonce must be extracted from the frontend.

3. Code Flow

  1. The attacker sends a POST request to admin-ajax.php with action=wpr_create_mega_menu_template.
  2. The request is routed to the wpr_create_mega_menu_template() function in admin/mega-menu.php.
  3. The function retrieves the nonce from $_POST['nonce'] and the item ID from $_POST['item_id'].
  4. Vulnerability: In affected versions, the function either lacks the current_user_can('manage_options') check entirely or is incorrectly exposed via wp_ajax_nopriv_.
  5. If wp_verify_nonce passes, the code proceeds to:
    • Check if a mega menu already exists for that item: get_post_meta( $menu_item_id, 'wpr-mega-menu-item', true ).
    • If not, it calls wp_insert_post() to create a new post of type wpr_mega_menu with post_status set to publish.
    • It updates the post meta: update_post_meta( $menu_item_id, 'wpr-mega-menu-item', $mega_menu_id ).
  6. The function returns a JSON response containing an edit_link to the newly created post.

4. Nonce Acquisition Strategy

The nonce wpr-mega-menu-js is required. This plugin typically localizes its data into a global JavaScript object accessible on the frontend if any Royal Addons components are active.

  1. Identify Trigger: The Mega Menu functionality often enqueues its scripts on any page displaying a navigation menu.
  2. Setup Page: Use WP-CLI to ensure a standard menu exists.
  3. Extraction:
    • Navigate to the homepage or any public page.
    • The plugin localizes data into a variable, often named WprConfig or WprAddonsData (based on common patterns in this plugin).
    • JS Variable: window.WprConfig or window.WPRConfig.
    • Nonce Key: nonce or specifically mega_menu_nonce.
    • Verification: Check admin/mega-menu.php line 59: wp_verify_nonce( $nonce, 'wpr-mega-menu-js' ).

5. Exploitation Strategy

  1. Extract Nonce: Perform an unauthenticated GET request to the site's homepage and search the HTML for the WprConfig object containing the wpr-mega-menu-js nonce.
  2. Trigger Creation: Send an unauthenticated POST request to create a mega menu post.

HTTP Request (PoC)

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: TARGET_HOST
Content-Type: application/x-www-form-urlencoded

action=wpr_create_mega_menu_template&nonce=EXTRACTED_NONCE&item_id=1337
  1. Analyze Response: A successful attack will return a JSON object:
    {
  "success": true,
  "data": {
    "edit_link": "http://TARGET_HOST/wp-admin/post.php?post=NEW_POST_ID&action=elementor"
  }
}

6. Test Data Setup

  1. Install Plugin: Ensure royal-elementor-addons <= 1.7.1052 is installed.
  2. Create a Menu Item: The exploit targets an item_id. Create a dummy menu item to ensure the post meta update has a target (though wp_insert_post will trigger regardless of whether the item_id exists).
    wp menu create "Test Menu"
wp menu item add-post Test Menu 1 # Add home page to menu, ID will be output

7. Expected Results

  • The HTTP response should contain a status 200 and the edit_link JSON.
  • A new post of type wpr_mega_menu should be created in the database.
  • The post_meta for the specified item_id should be updated with the key wpr-mega-menu-item.

8. Verification Steps

  1. Check for New Post:
    wp post list --post_type=wpr_mega_menu --fields=ID,post_title,post_status
    Confirm a post named wpr-mega-menu-item-1337 exists and is publish.
  2. Check Post Meta:
    wp post meta list 1337 # Use the item_id from the attack
    Confirm the key wpr-mega-menu-item exists and points to the new post ID.

9. Alternative Approaches

If wpr_create_mega_menu_template is properly protected in the target version, check other AJAX actions registered in admin/templates-kit.php which are likely to have the same missing authorization vulnerability:

  • wpr_reset_previous_import: Could allow an attacker to wipe previous template imports.
  • wpr_fix_royal_compatibility: Might perform unauthorized site configuration changes.
  • wpr_activate_required_plugins: Could be used to force-activate plugins.

To test these, look for nonces localized under WprConfig.templates_kit_nonce or similar keys.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Royal Addons for Elementor plugin is vulnerable to unauthorized access because multiple AJAX handlers, such as those for creating mega menu templates and managing template kits, fail to perform sufficient capability checks. This allows unauthenticated attackers to perform administrative actions, such as creating new posts and modifying metadata, by utilizing administrative nonces leaked to the site's frontend.

Vulnerable Code

// admin/mega-menu.php line 52
add_action( 'wp_ajax_wpr_create_mega_menu_template', 'wpr_create_mega_menu_template' );
add_action( 'wp_ajax_wpr_save_mega_menu_settings', 'wpr_save_mega_menu_settings' );

---

// admin/mega-menu.php line 61
function wpr_create_mega_menu_template() {

    $nonce = $_POST['nonce'];

    if ( !wp_verify_nonce( $nonce, 'wpr-mega-menu-js' )  || !current_user_can( 'manage_options' ) ) {
      return; // Get out of here, the nonce is rotten!
    }

    // $menu_id = intval( $_REQUEST['menu'] );
    // $menu_item_id = intval( $_REQUEST['item'] );
    $menu_item_id = intval( $_POST['item_id'] );
    $mega_menu_id = get_post_meta( $menu_item_id, 'wpr-mega-menu-item', true );

    if ( ! $mega_menu_id ) {

        $mega_menu_id = wp_insert_post( array(
            'post_title'  => 'wpr-mega-menu-item-' . $menu_item_id,
            'post_status' => 'publish',
            'post_type'   => 'wpr_mega_menu',
        ) );

        update_post_meta( $menu_item_id, 'wpr-mega-menu-item', $mega_menu_id );

    }

---

// admin/templates-kit.php line 17
add_action( 'wp_ajax_wpr_activate_required_theme', 'wpr_activate_required_theme' );
add_action( 'wp_ajax_wpr_activate_required_plugins', 'wpr_activate_required_plugins' );
add_action( 'wp_ajax_wpr_fix_royal_compatibility', 'wpr_fix_royal_compatibility' );
add_action( 'wp_ajax_wpr_reset_previous_import', 'wpr_reset_previous_import' );
add_action( 'wp_ajax_wpr_import_templates_kit', 'wpr_import_templates_kit' );
add_action( 'wp_ajax_wpr_final_settings_setup', 'wpr_final_settings_setup' );
add_action( 'wp_ajax_wpr_search_query_results', 'wpr_search_query_results' );

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/royal-elementor-addons/1.7.1052/admin/mega-menu.php /home/deploy/wp-safety.org/data/plugin-versions/royal-elementor-addons/1.7.1053/admin/mega-menu.php
--- /home/deploy/wp-safety.org/data/plugin-versions/royal-elementor-addons/1.7.1052/admin/mega-menu.php	2026-03-20 08:14:26.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/royal-elementor-addons/1.7.1053/admin/mega-menu.php	2026-03-27 10:11:54.000000000 +0000
@@ -61,15 +61,23 @@
 // Create Menu Template
 function wpr_create_mega_menu_template() {
 
-    $nonce = $_POST['nonce'];
+    if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'wpr-mega-menu-js' ) || ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( [ 'message' => 'Invalid request.' ] );
+        return;
+    }
+
+    if ( ! isset( $_POST['item_id'] ) ) {
+        wp_send_json_error( [ 'message' => 'Missing item_id.' ] );
+        return;
+    }
 
-    if ( !wp_verify_nonce( $nonce, 'wpr-mega-menu-js' )  || !current_user_can( 'manage_options' ) ) {
-      return; // Get out of here, the nonce is rotten!
+    $menu_item_id = absint( $_POST['item_id'] );
+    $menu_item = get_post( $menu_item_id );
+    if ( ! $menu_item || $menu_item->post_type !== 'nav_menu_item' ) {
+        wp_send_json_error( [ 'message' => 'Invalid menu item.' ] );
+        return;
     }
 
-    // $menu_id = intval( $_REQUEST['menu'] );
-    // $menu_item_id = intval( $_REQUEST['item'] );
-    $menu_item_id = intval( $_POST['item_id'] );
     $mega_menu_id = get_post_meta( $menu_item_id, 'wpr-mega-menu-item', true );
 
     if ( ! $mega_menu_id ) {

Exploit Outline

The exploit methodology involves the following steps: 1. Obtain a valid administrative nonce by performing an unauthenticated GET request to the site's homepage and searching the HTML for the `WprConfig` or `WPRConfig` JavaScript object, which contains the `wpr-mega-menu-js` nonce. 2. Construct an unauthenticated POST request to the `/wp-admin/admin-ajax.php` endpoint. 3. Include the parameter `action=wpr_create_mega_menu_template`, the extracted `nonce`, and an arbitrary integer for the `item_id` parameter. 4. Upon execution, the server will bypass authorization checks (due to the missing/incorrect capability validation in affected versions) and create a new published post of type `wpr_mega_menu`, returning a JSON response containing an Elementor edit link for the new post.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/be6db702-43bc-4d1f-a222-d323c70c6bb3?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database