PT-2025-3864 · WordPress · The Royal Elementor Addons/Templates

Matthew Rollings

Published

2025-01-14

Updated

2025-03-03

CVE-2025-0393

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Royal Elementor Addons and Templates plugin for WordPress versions up to, and including, 1.7.1006

Description The issue is due to missing or incorrect nonce validation on the wpr filter grid posts() function, making it possible for unauthenticated attackers to inject malicious web scripts via a forged request. This can happen if attackers can trick a site administrator into performing an action such as clicking on a link.

Recommendations For versions up to, and including, 1.7.1006, update to a version that includes the fix for the nonce validation issue in the wpr filter grid posts() function. As a temporary workaround, consider restricting access to the wpr filter grid posts() function until a patch is available.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2025-0393

Affected Products

The Royal Elementor Addons/Templates

PT-2025-3864 · WordPress · The Royal Elementor Addons/Templates

CVE-2025-0393

Weakness Enumeration

Related Identifiers

Affected Products

References · 11