CVE-2026-28135
Received Received - Intake
Access Control Bypass in Royal Elementor Addons

Publication date: 2026-03-05

Last updated on: 2026-04-29

Assigner: Patchstack

Description
Inclusion of Functionality from Untrusted Control Sphere vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Royal Elementor Addons: from n/a through <= 1.7.1052.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28135
EUVD
EUVD-2026-9785
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
royal_elementor_addons royal_elementor_addons From 1.0.0 (inc) to 1.7.1049 (inc)
royal_elementor_addons royal_elementor_addons to 1.7.1049 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-28135 is a vulnerability in the WordPress Royal Elementor Addons Plugin, affecting versions up to and including 1.7.1049. It involves the inclusion of functionality from an untrusted control sphere, allowing access to functionality that is not properly constrained by Access Control Lists (ACLs). This means that unauthorized users can exploit the vulnerability without needing to authenticate.

This vulnerability is classified under the OWASP Top 10 category A4: Insecure Design, indicating a design flaw that can lead to security issues.

Impact Analysis

The vulnerability has a high severity CVSS score of 8.2, meaning it poses a significant security risk. Since it allows unauthorized access to functionality without authentication, attackers could potentially exploit it to perform actions that should be restricted.

However, Patchstack considers the impact low and the likelihood of exploitation low, which reduces the immediate risk. Still, exploitation could lead to unauthorized actions within the affected plugin, potentially compromising the security or integrity of the WordPress site using it.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

[{'type': 'paragraph', 'content': 'As of the publication date, no official patch has been released for this vulnerability.'}, {'type': 'paragraph', 'content': 'Since the vulnerability affects Royal Elementor Addons versions up to and including 1.7.1049, an immediate step is to monitor for updates or patches from the plugin developers.'}, {'type': 'paragraph', 'content': "Additionally, consider applying general security best practices such as restricting access to the plugin's functionality, monitoring for unusual activity, and using security plugins or services like Patchstack to help mitigate risks."}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28135. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart