On December 23, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a set of 11 vulnerabilities in Royal Elementor Addons, a WordPress plugin with over 100,000 installations. The plugin developers responded on December 26, and we sent over the full disclosure that day.

We released a firewall rule protecting against these vulnerabilities to Wordfence Premium, Care, and Response customers on December 23, 2022. Sites still running the free version of Wordfence will receive the same protection 30 days later, on January 22, 2023.

While none of the vulnerabilities were critical, several of them could have been used by any authenticated user to modify content, disable plugins, or even temporarily take down the site in some circumstances. Additionally one of the patched vulnerabilities was a Reflected Cross-Site Scripting vulnerability which could have been used to take over the site if an attacker was able to trick an administrator into performing an action, such as clicking a link.

Vulnerability Details

The primary set of issues we found with Royal Elementor Addons was due to a lack of access control and nonce checks on various AJAX actions in the plugin.

Royal Elementor Addons has an option to quickly activate the recommended Royal Elementor Kit theme. Unfortunately, this is performed via an AJAX function, wpr_activate_required_theme, which did not perform capability or nonce checks, or even check if the theme was installed on the site. This meant that any logged-in user, such as a subscriber, could change a vulnerable site’s theme. If the Royal Elementor Kit theme was not installed on the site, this would result in a loss of availability as the site would fail to load and instead display an error message.


Royal Elementor Addons has an option to revert the site to a “compatible” state for imported templates via the wpr_fix_royal_compatibility AJAX function. This involves deactivating all but a short list of hard-coded plugins. As the function did not use capability or nonce checks, this means that any authenticated user could deactivate plugins necessary for site functionality as well as any security plugins that do not specifically block this action. This could cause the site to become unavailable or vulnerable to additional exploits.


Royal Elementor Addons allows importing preset templates via the wpr_import_templates_kit AJAX function. Vulnerable versions of the plugin do not include capability or nonce check for this function, so any authenticated user could import templates, potentially overwriting any existing templates.


Royal Elementor Addons has an option to activate the ‘contact-form-7’, ‘media-library-assistant’, or ‘woocommerce’ plugins if they are installed on the site via the wpr_activate_required_plugins AJAX action, and this functionality was available to any logged-in user. Fortunately the impact of this vulnerability is quite minimal as it would only allow an attacker to activate three select plugins.


Royal Elementor Addons has an AJAX action, wpr_reset_previous_import, used to delete previously imported content when importing new content. However, since it is accessible to any authenticated user, this could be used to delete imported content without importing new content, potentially resulting in site availability issues.


Royal Elementor Addons uses the wpr_final_settings_setup AJAX action to finalize activation of preset site configuration templates, which can be chosen and imported via a separate action. As with the other vulnerabilities recorded here, any authenticated user could access this functionality, though the impact of this vulnerability was lower.


Royal Elementor Addons uses the wpr_save_mega_menu_settings AJAX action to update mega menu settings. As with the other vulnerabilities we found, this action called a function that did not include a capability check or a nonce check, so any authenticated user could update menu settings.


Royal Elementor Addons uses the wpr_save_template_conditions AJAX action to save template conditions, determining when a given template will be displayed and used. The action called a function that was accessible to any authenticated user.


Royal Elementor Addons uses the wpr_import_library_template AJAX action to import and activate templates from the plugin developers’ template library. As with other vulnerabilities reported here, the action called a function that did not include a capability or nonce check, allowing any authenticated user to access it.


The final vulnerabilities we found did not exactly fit the pattern of the others – one was a lower-severity Cross-Site Request Forgery(CSRF) and the other, a higher-severity reflected Cross-Site Scripting(XSS).

Unlike the other AJAX actions we’ve mentioned so far, wpr_create_mega_menu_template, which is used to create new menu templates, did include access control. It was, however, still lacking a nonce check, so an attacker could trick a logged-in administrator into performing an action that would result in a menu template being created.


Unlike all of the other vulnerabilities mentioned above, reflected cross-site scripting(XSS) can be used by an attacker to completely take over a website if they can trick a logged-in administrator into performing an action, such as clicking a link, by performing actions as that administrator, such as adding a new malicious administrator, or inserting a backdoor into a plugin or theme file.

Additionally, unauthenticated users could also be targeted by this to redirect them to a malicious website or perform actions in their browsers. In this case, the data_fetch function failed to escape the wpr_ajax_search_link_target parameter used to return search results. Note that all Wordfence users, including Wordfence free users, are protected against exploits targeting this rule by the Wordfence firewall’s built-in Cross-Site Scripting protection.

Timeline

December 23, 2022 – We release a firewall rule protecting Wordfence Premium, Care, and Response customers and reach out to the plugin developer
December 26, 2023 – The plugin developer responds
December 29, 2023 – A patched version, 1.3.60, is released
January 22, 2023 – Firewall rule becomes available to Wordfence Free users 

Conclusion

In today’s article, we covered a set of 11 vulnerabilities in the Royal Elementor Addons plugin. While none are critical, several can have severe consequences under certain circumstances.

The Wordfence firewall protects Wordfence Premium, Care, and Response users from these vulnerabilities and Wordfence Free users will receive protection on January 22, 2023 Nonetheless, we strongly recommend updating to the latest version of the plugin, which is 1.3.60 at the time of this writing, as soon as possible.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance. If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of Royal Elementor Addons as soon as possible.

If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence Community Edition leaderboard.