Royal Elementor Addons and Templates Vulnerability – Multiple Stored XSS Issues and IP Spoofing – Various CVEs |WordPress Plugin Vulnerability Report 

Plugin Name: Royal Elementor Addons and Templates

Key Information:

  • Software Type: Plugin
  • Software Slug: royal-elementor-addons
  • Software Status: Active
  • Software Author: wproyal
  • Software Downloads: 5,140,265
  • Active Installs: 300,000
  • Last Updated: May 6, 2024
  • Patched Versions: 1.3.972, 1.3.95
  • Affected Versions: <= 1.3.971, <= 1.3.93

Vulnerability Details:

  1. Authenticated Stored Cross-Site Scripting via Flip Carousel, Flip Box, Post Grid, and Taxonomy List Widget Attributes
    • CVE: CVE-2024-3675
    • CVSS Score: 6.4
    • Affected Versions: <= 1.3.971
    • Description: Vulnerable to Stored Cross-Site Scripting via the plugin's Flip Carousel, Flip Box, Post Grid, and Taxonomy List widgets due to insufficient input sanitization and output escaping on user-supplied attributes. Allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts.
  2. Authenticated Stored Cross-Site Scripting via HTML Tags
    • CVE: CVE-2024-2799
    • CVSS Score: 6.4
    • Affected Versions: <= 1.3.96
    • Description: Vulnerable to Stored Cross-Site Scripting via the Image Grid & Advanced Text widget HTML tags due to insufficient input sanitization and output escaping. Allows authenticated attackers to inject arbitrary web scripts.
  3. Authenticated Stored Cross-Site Scripting via Advanced Accordion Title Tags
    • CVE: CVE-2024-3889
    • CVSS Score: 6.4
    • Affected Versions: <= 1.3.971
    • Description: Vulnerable to Stored Cross-Site Scripting via the plugin's Advanced Accordion widget due to insufficient input sanitization and output escaping on user-supplied attributes like 'accordion_title_tag'. Allows authenticated attackers to inject arbitrary web scripts.
  4. Authenticated DOM-Based Stored Cross-Site Scripting
    • CVE: CVE-2024-2798
    • CVSS Score: 6.5
    • Affected Versions: <= 1.3.971
    • Description: Vulnerable to Stored Cross-Site Scripting via the plugin's widget containers due to insufficient input sanitization and output escaping. Allows authenticated attackers to inject arbitrary web scripts.
  5. Unauthenticated IP Spoofing
    • CVE: CVE-2024-32786
    • CVSS Score: 5.3
    • Affected Versions: <= 1.3.93
    • Description: Vulnerable to IP Address Spoofing in all versions up to, and including, 1.3.93 due to insufficient IP address validation. Allows unauthenticated attackers to spoof their IP addresses.

Summary:

The Royal Elementor Addons and Templates for WordPress has vulnerabilities in versions up to and including 1.3.971 and 1.3.93 that allow for both stored cross-site scripting and IP spoofing. These vulnerabilities have been patched in versions 1.3.972 and 1.3.95 respectively.

Detailed Overview:

The vulnerabilities identified in the Royal Elementor Addons and Templates plugin affect multiple components, including the Flip Carousel, Flip Box, Post Grid, Taxonomy List, Advanced Accordion, and widget containers. These vulnerabilities are particularly concerning as they allow attackers with contributor-level access or above to inject malicious scripts. Additionally, the IP spoofing vulnerability does not require authentication, enabling attackers to misrepresent their IP addresses. These security issues pose significant risks including data leakage, unauthorized actions, and misrepresentation of user activity, which could lead to broader security implications for affected websites.

Advice for Users:

  • Immediate Action: Update to versions 1.3.972 or 1.3.95 as appropriate to mitigate the identified risks.
  • Check for Signs of Vulnerability: Administrators should review their sites for any unusual activity or unauthorized modifications, particularly in the areas affected by these vulnerabilities.
  • Alternate Plugins: Given the number of vulnerabilities reported, users may consider evaluating alternative plugins with similar functionality but a stronger security record.
  • Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.

Conclusion:

The developers of the Royal Elementor Addons and Templates responded promptly to address these vulnerabilities with updates, highlighting the importance of timely software updates. Users are advised to apply these updates without delay to protect their WordPress installations.

References:

Detailed Report: 

In today's digital landscape, the security of your website can make or break your online presence. Recent vulnerabilities found in the Royal Elementor Addons and Templates—a popular WordPress plugin—serve as a stark reminder of this reality. With over 300,000 active installs and a history of 31 vulnerabilities since March 4, 2022, the plugin has faced multiple security challenges, highlighting a critical aspect of website management: the imperative of staying updated.

Vulnerability Details:

The Royal Elementor Addons and Templates plugin has experienced several critical vulnerabilities:

  • Stored Cross-Site Scripting via various widget attributes allowing malicious script injections.
  • Unauthenticated IP Spoofing allowing attackers to misrepresent their IP addresses.
  • The plugin has had 31 documented vulnerabilities since March 2022, indicating ongoing security challenges.

Risks and Potential Impacts:

These vulnerabilities expose users to risks such as data leakage, unauthorized website control, and potential financial and reputational damage. For businesses, the integrity of data and trust of customers hang in the balance, making these vulnerabilities particularly threatening.

Overview of Previous Vulnerabilities:

The Royal Elementor Addons and Templates plugin has had a troubling history with 31 vulnerabilities reported since early 2022, reinforcing the need for continual vigilance and prompt updates.

Conclusion: The Imperative of Proactive Security Management

Keeping your WordPress site secure is an ongoing challenge that requires vigilance and proactive management. For small business owners, the stakes are high as cybersecurity threats can disrupt operations and erode customer trust. Regular updates, vigilant monitoring for unusual activity, and a responsive approach to addressing vulnerabilities are crucial. Utilizing managed WordPress hosting services can also offload some of the security burdens, ensuring that software updates and security patches are applied without delay.

In conclusion, safeguarding your digital presence is not just about reacting to threats but preventing them. By staying informed and proactive, you can significantly reduce the risks posed by vulnerabilities and protect your business in the digital age.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Royal Elementor Addons and Templates Vulnerability – Multiple Stored XSS Issues and IP Spoofing – Various CVEs |WordPress Plugin Vulnerability Report FAQs

Leave a Comment