Royal Addons for Elementor – Addons and Templates Kit for Elementor < 1.7.1053 - Missing Authorization
Description
The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to 1.7.1053. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<1.7.1053What Changed in the Fix
Changes introduced in v1.7.1053
Source Code
WordPress.org SVN# Detailed Exploitation Research Plan - CVE-2026-25436 ## 1. Vulnerability Summary The **Royal Addons for Elementor** plugin (versions < 1.7.1053) contains a **Missing Authorization** vulnerability. Several AJAX handlers registered in the plugin (specifically those related to template kit managemen…
Show full research plan
Detailed Exploitation Research Plan - CVE-2026-25436
1. Vulnerability Summary
The Royal Addons for Elementor plugin (versions < 1.7.1053) contains a Missing Authorization vulnerability. Several AJAX handlers registered in the plugin (specifically those related to template kit management) fail to perform a current_user_can() capability check. Although the handlers are intended for administrators, they were registered using wp_ajax_nopriv_ or lacked server-side authorization, allowing unauthenticated attackers to trigger sensitive actions like resetting site data or importing template kits.
2. Attack Vector Analysis
- Vulnerable Endpoint:
wp-admin/admin-ajax.php - AJAX Action:
wpr_reset_previous_import(orwpr_import_templates_kit) - Authentication: None (Unauthenticated /
PR:N) - Payload Parameters:
action:wpr_reset_previous_importnonce: (See Nonce Acquisition Strategy)
- Preconditions: The plugin must be active.
3. Code Flow
The vulnerability resides in admin/templates-kit.php.
- Registration: The plugin registers several AJAX actions in
admin/templates-kit.php:add_action( 'wp_ajax_wpr_reset_previous_import', 'wpr_reset_previous_import
Summary
The Royal Addons for Elementor plugin fails to perform adequate capability checks on several AJAX handlers, including those for mega menu management and template kit imports. This allows unauthenticated or low-privileged attackers to perform administrative actions such as creating or modifying mega menu templates and resetting site data related to template imports.
Vulnerable Code
// admin/mega-menu.php line 64 function wpr_create_mega_menu_template() { $nonce = $_POST['nonce']; if ( !wp_verify_nonce( $nonce, 'wpr-mega-menu-js' ) || !current_user_can( 'manage_options' ) ) { return; // Get out of here, the nonce is rotten! } $menu_item_id = intval( $_POST['item_id'] ); $mega_menu_id = get_post_meta( $menu_item_id, 'wpr-mega-menu-item', true ); --- // admin/mega-menu.php line 253 function wpr_save_mega_menu_settings() { $nonce = $_POST['nonce']; if ( !wp_verify_nonce( $nonce, 'wpr-mega-menu-js' ) || !current_user_can( 'manage_options' ) ) { exit; // Get out of here, the nonce is rotten! } if ( isset($_POST['item_settings']) ) { update_post_meta( $_POST['item_id'], 'wpr-mega-menu-settings', $_POST['item_settings'] ); } wp_send_json_success($_POST['item_settings']); }
Security Fix
@@ -61,15 +61,23 @@ // Create Menu Template function wpr_create_mega_menu_template() { - $nonce = $_POST['nonce']; + if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'wpr-mega-menu-js' ) || ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( [ 'message' => 'Invalid request.' ] ); + return; + } + + if ( ! isset( $_POST['item_id'] ) ) { + wp_send_json_error( [ 'message' => 'Missing item_id.' ] ); + return; + } - if ( !wp_verify_nonce( $nonce, 'wpr-mega-menu-js' ) || !current_user_can( 'manage_options' ) ) { - return; // Get out of here, the nonce is rotten! + $menu_item_id = absint( $_POST['item_id'] ); + $menu_item = get_post( $menu_item_id ); + if ( ! $menu_item || $menu_item->post_type !== 'nav_menu_item' ) { + wp_send_json_error( [ 'message' => 'Invalid menu item.' ] ); + return; } - // $menu_id = intval( $_REQUEST['menu'] ); - // $menu_item_id = intval( $_REQUEST['item'] ); - $menu_item_id = intval( $_POST['item_id'] ); $mega_menu_id = get_post_meta( $menu_item_id, 'wpr-mega-menu-item', true ); if ( ! $mega_menu_id ) { @@ -252,20 +260,81 @@ <?php } +// Save Mega Menu Settings function wpr_save_mega_menu_settings() { - $nonce = $_POST['nonce']; + if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'wpr-mega-menu-js' ) || ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( [ 'message' => 'Invalid request.' ] ); + return; + } - if ( !wp_verify_nonce( $nonce, 'wpr-mega-menu-js' ) || !current_user_can( 'manage_options' ) ) { - exit; // Get out of here, the nonce is rotten! + if ( ! isset( $_POST['item_id'] ) || ! isset( $_POST['item_settings'] ) || ! is_array( $_POST['item_settings'] ) ) { + wp_send_json_error( [ 'message' => 'Missing item_id or item_settings.' ] ); + return; + } + + $item_id = absint( $_POST['item_id'] ); + $item_post = get_post( $item_id ); + if ( ! $item_post || $item_post->post_type !== 'nav_menu_item' ) { + wp_send_json_error( [ 'message' => 'Invalid menu item.' ] ); + return; } - if ( isset($_POST['item_settings']) ) { - update_post_meta( $_POST['item_id'], 'wpr-mega-menu-settings', $_POST['item_settings'] ); + $allowed_keys = wpr_mega_menu_allowed_settings_keys(); + $raw = wp_unslash( $_POST['item_settings'] ); + $sanitized = []; + foreach ( $allowed_keys as $key ) { + if ( array_key_exists( $key, $raw ) ) { + $sanitized[ $key ] = wpr_sanitize_mega_menu_setting( $raw[ $key ], $key ); + } } - wp_send_json_success($_POST['item_settings']); + update_post_meta( $item_id, 'wpr-mega-menu-settings', $sanitized ); + wp_send_json_success( $sanitized ); }
Exploit Outline
The exploit targets AJAX actions such as 'wpr_create_mega_menu_template' or 'wpr_save_mega_menu_settings' via admin-ajax.php. An attacker can send a POST request with the 'action' parameter set to the target function and 'item_id' set to a valid menu item ID. Because the server-side code did not effectively enforce capability checks for unauthenticated or low-privileged users, the attacker could manipulate WordPress post metadata or trigger data reset functions (e.g., 'wpr_reset_previous_import'). In many cases, a valid security nonce might be required, but if the nonce is leaked in the front-end or the handler is registered via 'wp_ajax_nopriv_', unauthenticated exploitation is possible.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.