CVE-2025-11363
📋 TL;DR
The Royal Addons for Elementor WordPress plugin before version 1.7.1037 lacks proper authorization checks, allowing unauthenticated attackers to upload arbitrary media files. This affects all WordPress sites using vulnerable versions of the plugin. Attackers can exploit this to upload malicious files to the server.
💻 Affected Systems
- Royal Addons for Elementor WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers upload web shells or malware, gaining remote code execution and complete control of the WordPress site and potentially the underlying server.
Likely Case
Attackers upload malicious files (PHP shells, malware) to compromise the site, deface content, or establish persistence for further attacks.
If Mitigated
If file upload restrictions are enforced, impact is limited to storage consumption or non-executable file uploads.
🎯 Exploit Status
Simple HTTP POST request to vulnerable endpoint. WPScan provides technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.1037
Vendor Advisory: https://wpscan.com/vulnerability/b2eadb7a-30a4-44c7-a420-849484faccf4/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Royal Addons for Elementor. 4. Click Update Now to version 1.7.1037 or later. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable vulnerable endpoint via .htaccess
linuxBlock access to the vulnerable upload endpoint using Apache mod_rewrite rules.
RewriteEngine On
RewriteRule ^wp-admin/admin-ajax\.php\?action=wpr_addons_upload_file - [F,L]
Temporarily disable plugin
allDeactivate Royal Addons plugin until patched.
wp plugin deactivate royal-elementor-addons
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests containing 'wpr_addons_upload_file' action parameter.
- Restrict file uploads at server level: disable PHP execution in upload directories, implement file type validation.
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is below 1.7.1037, it's vulnerable.Check Version:
wp plugin get royal-elementor-addons --field=versionVerify Fix Applied:
Confirm plugin version is 1.7.1037 or higher. Test upload functionality as unauthenticated user should be blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with action=wpr_addons_upload_file
- File uploads from unauthenticated IP addresses
- Unusual file creations in wp-content/uploads/ directory
Network Indicators:
- POST requests with multipart/form-data containing suspicious file names or extensions
- Traffic spikes to admin-ajax.php endpoint
SIEM Query:
source="web_server" AND uri_path="/wp-admin/admin-ajax.php" AND http_method="POST" AND query_string="*action=wpr_addons_upload_file*"