{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40763", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-15T09:20:32.456Z", "datePublished": "2026-04-15T10:21:35.155Z", "dateUpdated": "2026-04-29T09:52:04.809Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "royal-elementor-addons", "product": "Royal Elementor Addons", "vendor": "WP Royal", "versions": [{"changes": [{"at": "1.7.1057", "status": "unaffected"}], "lessThanOrEqual": "1.7.1056", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bao - BlueRock | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-15T12:20:45.196Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Royal Elementor Addons: from n/a through <= 1.7.1056.</p>"}], "value": "Missing Authorization vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Royal Elementor Addons: from n/a through <= 1.7.1056."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:04.809Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/royal-elementor-addons/vulnerability/wordpress-royal-elementor-addons-plugin-1-7-1056-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Royal Elementor Addons plugin <= 1.7.1056 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T14:40:14.463382Z", "id": "CVE-2026-40763", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T14:41:45.860Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-40763", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T14:40:14.463382Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T14:38:50.594Z"}}], "cna": {"title": "WordPress Royal Elementor Addons plugin <= 1.7.1056 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Bao - BlueRock | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "WP Royal", "product": "Royal Elementor Addons", "versions": [{"status": "affected", "changes": [{"at": "1.7.1057", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.7.1056"}], "packageName": "royal-elementor-addons", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-15T12:20:45.196Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/royal-elementor-addons/vulnerability/wordpress-royal-elementor-addons-plugin-1-7-1056-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Royal Elementor Addons: from n/a through <= 1.7.1056.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Royal Elementor Addons: from n/a through <= 1.7.1056.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-15T10:21:35.155Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40763", "state": "PUBLISHED", "dateUpdated": "2026-04-16T14:41:45.860Z", "dateReserved": "2026-04-15T09:20:32.456Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-15T10:21:35.155Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Royal Elementor Addons: from n/a through <= 1.7.1056."}], "id": "CVE-2026-40763", "lastModified": "2026-04-22T20:23:16.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-15T11:16:36.657", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/royal-elementor-addons/vulnerability/wordpress-royal-elementor-addons-plugin-1-7-1056-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.7.1056]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[1.7.1057,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Royal Elementor Addons", "source": "cna", "vendor": "WP Royal"}, "product": "royal_elementor_addons", "vendor": "wp_royal"}], "analysis": {"en": {"generated_at": "2026-04-17T07:05:39.828881+00:00", "value": {"mitigation_remediation": ["Upgrade Royal Elementor Addons to the latest available version as soon as a patch is released", "Restrict access to the plugin\u2019s administration area by limiting WordPress user roles to a minimal set of trusted administrators", "If a quick patch or restriction is not feasible, consider temporarily deactivating or uninstalling the plugin to remove the attack surface"], "summary": {"action": "Upgrade plugin", "impact": "Broken access control allowing unauthorized plugin administration"}, "threat_synthesis": {"affected_systems": "Any WordPress installation that employs WP Royal Royal Elementor Addons version 1.7.1056 or earlier is vulnerable. This includes all releases from the earliest available version through 1.7.1056 because the flaw is present in every iteration up to that point.", "description_and_impact": "The Royal Elementor Addons plugin for WordPress contains a missing authorization flaw that permits unauthorized browsing of the plugin\u2019s administration interface. This broken access control (CWE-862) allows an attacker to read or modify plugin configuration.", "risk_and_exploitability": "Exploitation would require an attacker to reach the plugin\u2019s administration URLs, a scenario that is implicit from the missing authorization flaw. Based on the description, it is inferred that absence of proper access controls allows an attacker to read or modify the plugin\u2019s configuration settings. The vulnerability\u2019s impact on confidentiality and integrity of site data is potentially significant, however the actual exploitation likelihood cannot be determined from the available data. The CVSS score is 5.3, the EPSS score is less than 1%, and the vulnerability is not listed in KEV."}}}}, "created": "2026-04-15T13:38:17.786808+00:00", "updated": "2026-04-17T07:15:12.290893+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wp_royal", "wp_royal$PRODUCT$royal_elementor_addons"]}