Royal Elementor Addons plugin <= 1.3.75 – Multiple Cross Site Request

  • Resolved HassanMullah

    (@hassanmullah)


    1 year, 3 months ago

    Hi, at the moment the WordPress Royal Elementor Addons plugin <= 1.3.75 is always disabled via iThemes Security Pro. As a result, I can no longer see my header menu. Is this a known bug and will it be fixed soon?

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Contributor Nick WP Royal Support

    (@elementoraddonswpr)

    Hi, this is medium security issue and we are already working on updates.

    Kind Regards,
    Nick

    Hi, I also received this warning today. My cPanel recommends deleting it. The source of the warning is Patchstack. I find this plugin very useful, and I don’t really want to delete it. I hope we will get an update with the problem fixed.

    • This reply was modified 1 year, 3 months ago by lk701.
    Plugin Contributor Nick WP Royal Support

    (@elementoraddonswpr)

    Hi, the issue was discovered by the site https://patchstack.com/ and then spreader out for plugins like wordfence and other defense solutions, we are not able to reproduce the issue and we think that this is the false info, we have emailed that site and waiting for a response from them, so if you are running on latest version you do not need to worry about that.

    The first time we thought that it was the issue (few days ago when first person reported this) but after many tests we were unable to reproducer the case described on patchstack site – so probably someone summited false info and that’s why we have this “panic: now ??

    Kind Regards,
    Nick

    WordFence is also reporting this issue and suggesting deactivation and removal of the plugin because of a cross-site scripting vulnerability. The documentation is stating that the nonce declaration is missing in a function call.

    The Royal Elementor Addons plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.75. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to invoke this function via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

    https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/royal-elementor-addons/royal-elementor-addons-1375-cross-site-request-forgery

    • This reply was modified 1 year, 2 months ago by capsrock. Reason: Added more information
    Plugin Contributor Nick WP Royal Support

    (@elementoraddonswpr)

    Please trust me that this is not a serious issue and this is a mistake as well, but if you do not trust me you can delete the plugin.

    Kind Regards,
    Nick

    Thread Starter HassanMullah

    (@hassanmullah)

    Hi Nick, I don’t want to disable the plugin as my whole site is based on it. First the warning came from another plugin called “iThemes Security”. I have now deactivated this, thinking it would automatically deactivate the plugin. But it’s more likely a security feature from my provider. It would be really good if there is an update for your plugin soon, otherwise it will always be automatically deactivated and I will have my menu on my site.

    Thanks a lot

    Plugin Contributor Nick WP Royal Support

    (@elementoraddonswpr)

    Hi, please update to the latest version and all be fine, issue fixed.

    Kind Regards,
    Nick

    Thread Starter HassanMullah

    (@hassanmullah)

    Thank you Nick!

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Royal Elementor Addons plugin <= 1.3.75 – Multiple Cross Site Request’ is closed to new replies.