Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Royal Addons for Elementor plugin allows unauthorized file uploads
CVE-2025-13067
Summary
The Royal Addons for Elementor plugin for WordPress is vulnerable to unauthorized file uploads. This could allow attackers to upload malicious files, potentially allowing them to take control of the website. Update to a fixed version of the plugin to prevent this risk.
Original title
The Royal Addons for Elementor plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.7.1049. This is due to insufficient file type validation detecting...
Original description
The Royal Addons for Elementor plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.7.1049. This is due to insufficient file type validation detecting files named main.php, allowing a file with such a name to bypass sanitization. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
nvd CVSS3.1
8.8
Vulnerability type
CWE-434
Unrestricted File Upload
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026