CVE-2025-11363
Description
The Royal Addons for Elementor WordPress plugin before 1.7.1037 does not have proper authorisation, allowing unauthenticated users to upload media files via the wpr_addons_upload_file action.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Royal Addons for Elementor plugin before 1.7.1037 lacks authorization, allowing unauthenticated attackers to upload arbitrary media files.
Vulnerability
Overview
The Royal Addons for Elementor WordPress plugin, versions prior to 1.7.1037, fails to properly enforce authorization checks on the wpr_addons_upload_file action. This missing capability or nonce verification allows any unauthenticated user to trigger the file upload functionality without needing any privileges or authentication [1].
Exploitation requires no special conditions beyond network access to a WordPress site running the vulnerable plugin. The attacker can send a crafted request to the upload endpoint, bypassing intended access controls [1].
Impact
Successful exploitation enables an unauthenticated attacker to upload arbitrary media files to the WordPress media library. While the uploaded files are limited to media types (images, videos, documents, etc.), this can still be abused to fill the server's storage, potentially leading to denial of service, or to upload files that may be used in further attacks (e.g., hosting malicious content) [1].
Mitigation
The vulnerability has been fixed in version 1.7.1037 of the plugin. Users are strongly advised to update immediately. No workarounds are documented; the only remediation is applying the patch [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <1.7.1037
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.