CVE-2022-4701

Name of the Vulnerable Software and Affected Versions The Royal Elementor Addons plugin for WordPress versions up to, and including, 1.3.59

Description The issue is related to insufficient access control in the 'wpr activate required plugins' AJAX action. This allows any authenticated user, including those with subscriber-level permissions, to activate the 'contact-form-7', 'media-library-assistant', or 'woocommerce' plugins if they are installed on the site.

Recommendations For versions up to, and including, 1.3.59, update to a version higher than 1.3.59 to resolve the issue. As a temporary workaround, consider restricting access to the 'wpr activate required plugins' AJAX action to prevent unauthorized plugin activation. Additionally, restrict the installation of the 'contact-form-7', 'media-library-assistant', and 'woocommerce' plugins to trusted users only.