CVE-2022-4702

Name of the Vulnerable Software and Affected Versions The Royal Elementor Addons plugin for WordPress versions up to, and including, 1.3.59

Description The issue is related to insufficient access control in the 'wpr fix royal compatibility' AJAX action. This allows any authenticated user, including those with subscriber-level permissions, to deactivate every plugin on the site unless it is part of an extremely limited hardcoded selection. It also switches the site to the 'royal-elementor-kit' theme, potentially resulting in availability issues.

Recommendations For versions up to, and including, 1.3.59, update to a version higher than 1.3.59 to resolve the issue. As a temporary workaround, consider disabling the 'wpr fix royal compatibility' AJAX action until a patch is available. Restrict access to the 'royal-elementor-kit' theme to minimize the risk of exploitation. Avoid using the 'wpr fix royal compatibility' action in the affected AJAX endpoint until the issue is resolved.