CVE-2025-13067
Received Received - Intake

Arbitrary File Upload in Royal Addons for Elementor Enables RCE

Vulnerability report for CVE-2025-13067, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-11

Last updated on: 2026-03-11

Assigner: Wordfence

Description

The Royal Addons for Elementor plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.7.1049. This is due to insufficient file type validation detecting files named main.php, allowing a file with such a name to bypass sanitization. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-11
Last Modified
2026-03-11
Generated
2026-07-06
AI Q&A
2026-03-11
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
royal_addons elementor_plugin to 1.7.1049 (inc)
royal_addons royal_elementor_addons to 1.7.1049 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Royal Addons for Elementor plugin for WordPress has a vulnerability in all versions up to and including 1.7.1049 that allows arbitrary file uploads. This happens because the plugin does not properly validate file types, specifically failing to detect files named main.php. As a result, an authenticated attacker with author-level access or higher can upload files to the server that should normally be blocked.

This flaw can potentially allow the attacker to execute remote code on the affected server by uploading malicious files.

Impact Analysis

This vulnerability can have serious impacts including unauthorized remote code execution on your WordPress site. An attacker with author-level access could upload malicious files, potentially gaining control over the server, modifying site content, stealing data, or launching further attacks.

The CVSS score of 8.8 indicates a high severity, meaning the vulnerability is relatively easy to exploit and can lead to significant confidentiality, integrity, and availability impacts.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, update the Royal Addons for Elementor plugin to a version later than 1.7.1049, as the vulnerability exists in all versions up to and including 1.7.1049.

The changeset 3475656 for royal-elementor-addons, tagged as version 1.7.1050, includes fixes that address this issue.

Additionally, restrict author-level access and above to trusted users only, as the vulnerability requires authenticated users with author-level permissions or higher to exploit.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13067. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart