Lucene search

[email protected]NVD:CVE-2022-4704

HistoryJan 10, 2023 - 5:15 p.m.

CVE-2022-4704

2023-01-1017:15:11

[email protected]

web.nvd.nist.gov

wordpress

vulnerability

access control

ajax

configuration templates

images

settings

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

AI Score

4.9

Confidence

High

EPSS

0.001

Percentile

45.0%

JSON

The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the ‘wpr_import_templates_kit’ AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to import preset site configuration templates including images and settings.

Affected configurations

Nvd

Node

royal-elementor-addonsroyal_elementor_addonsRange≤1.3.59wordpress

VendorProductVersionCPE
royal-elementor-addonsroyal_elementor_addons*cpe:2.3:a:royal-elementor-addons:royal_elementor_addons:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
royal-elementor-addons	royal_elementor_addons	*	cpe:2.3:a:royal-elementor-addons:royal_elementor_addons::::::wordpress::*

References

plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/admin/templates-kit.php?rev=2833046

www.wordfence.com/blog/2023/01/eleven-vulnerabilities-patched-in-royal-elementor-addons/

www.wordfence.com/threat-intel/vulnerabilities/id/64cce528-0ad0-45ec-a8f6-e8791b0bece0

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

AI Score

4.9

Confidence

High

EPSS

0.001

Percentile

45.0%

JSON

Related for NVD:CVE-2022-4704

prion2 cvelist2 wpvulndb1 cve2 nvd1 wordfence1 packetstorm1 openvas1