CVE-2026-4024

Name of the Vulnerable Software and Affected Versions Royal Addons for Elementor versions prior to 1.7.1057

Description The Royal Addons for Elementor plugin for WordPress allows unauthorized modification of data due to a missing capability check on the wpr update form action meta AJAX action. The handler is registered on both wp ajax and wp ajax nopriv hooks, making it accessible to unauthenticated users. While a nonce (wpr-addons-js) is verified, it is publicly exposed in frontend JavaScript via WprConfig.nonce on pages loading Royal Addons widgets, rendering the protection ineffective. The endpoint lacks capability or ownership checks and directly calls the update post meta() function with user-controlled input on a whitelisted set of form action meta keys. This allows unauthenticated attackers to modify form action configuration metadata, including email, submissions, Mailchimp, and webhook settings on any post, which could lead to webhook or email action tampering and data exfiltration via modified webhook URLs.

Recommendations Update the plugin to a version later than 1.7.1056.