Royal Elementor Addons and Templates < 1.3.81 - Unauthenticated Arbitrary Post Read

Vulnerability

The Royal Elementor Addons and Templates WordPress plugin versions before 1.3.81 contains an access control vulnerability. The plugin fails to verify that users accessing posts through an AJAX action (and a REST endpoint, currently disabled in the plugin) have the required permissions. This allows unauthenticated attackers to read arbitrary draft, private, and password-protected posts and pages [1].

Exploitation

An unauthenticated attacker can exploit this by sending crafted AJAX requests to the affected WordPress site, targeting the vulnerable endpoint provided by the plugin. No authentication or special privileges are required. The attacker simply needs to know or guess the post ID to retrieve its content [1].

Impact

Successful exploitation leads to unauthorized disclosure of potentially sensitive content from draft, private, or password-protected posts and pages. This could include unpublished content, private data, or information meant to be accessible only to authenticated users with appropriate permissions, compromising confidentiality [1].

Mitigation

The issue is fixed in version 1.3.81 of the Royal Elementor Addons and Templates plugin. Users should update to this version or later immediately. No workarounds are mentioned in the available reference; the REST endpoint is noted as currently disabled in the plugin, but the AJAX action remains exploitable until the update is applied [1].