Royal Addons for Elementor Missing Authorization Vulnerability Allowing Unauthenticated Data Modification

A vulnerability exists in the Royal Addons for Elementor WordPress plugin, in versions through 1.7.1056, allowing unauthorized data modification. This issue arises from a missing capability check on the 'wpr_update_form_action_meta' AJAX action, which is available to unauthenticated users. Although a nonce is verified, it is publicly exposed in frontend JavaScript, rendering the protection ineffective. The endpoint lacks capability or ownership checks and directly modifies post metadata with user-controlled input, potentially leading to unauthorized changes in form action settings and data exfiltration via altered webhook URLs.

Impact

Exploitation of this vulnerability allows unauthenticated users to modify form action metadata on any post, including email, submissions, Mailchimp, and webhook settings. This could result in unauthorized tampering of webhook or email actions, with potential data exfiltration through modified webhook URLs.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'wp_ajax_wpr_update_form_action_meta' action without the required capabilities. The request must include the 'nonce' parameter, which can be obtained from the exposed 'WprConfig.nonce' in the frontend JavaScript of any page that loads Royal Addons widgets. Once the request is sent, the 'post_id', 'action_name', 'status', and 'message' parameters can be used to specify the desired modifications to the form action metadata.

Remediation

Users are advised to update the Royal Addons for Elementor plugin to version 1.7.1057 or a newer patched version.