CVE-2026-28135
Access Control Bypass in Royal Elementor Addons
Publication date: 2026-03-05
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| royal_elementor_addons | royal_elementor_addons | From 1.0.0 (inc) to 1.7.1049 (inc) |
| royal_elementor_addons | royal_elementor_addons | to 1.7.1049 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28135 is a vulnerability in the WordPress Royal Elementor Addons Plugin, affecting versions up to and including 1.7.1049. It involves the inclusion of functionality from an untrusted control sphere, allowing access to functionality that is not properly constrained by Access Control Lists (ACLs). This means that unauthorized users can exploit the vulnerability without needing to authenticate.
This vulnerability is classified under the OWASP Top 10 category A4: Insecure Design, indicating a design flaw that can lead to security issues.
How can this vulnerability impact me? :
The vulnerability has a high severity CVSS score of 8.2, meaning it poses a significant security risk. Since it allows unauthorized access to functionality without authentication, attackers could potentially exploit it to perform actions that should be restricted.
However, Patchstack considers the impact low and the likelihood of exploitation low, which reduces the immediate risk. Still, exploitation could lead to unauthorized actions within the affected plugin, potentially compromising the security or integrity of the WordPress site using it.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'As of the publication date, no official patch has been released for this vulnerability.'}, {'type': 'paragraph', 'content': 'Since the vulnerability affects Royal Elementor Addons versions up to and including 1.7.1049, an immediate step is to monitor for updates or patches from the plugin developers.'}, {'type': 'paragraph', 'content': "Additionally, consider applying general security best practices such as restricting access to the plugin's functionality, monitoring for unusual activity, and using security plugins or services like Patchstack to help mitigate risks."}] [1]