CVE-2026-4024 Overview
CVE-2026-4024 affects the Royal Addons for Elementor plugin for WordPress in all versions up to and including 1.7.1056. The vulnerability stems from a missing capability check on the wpr_update_form_action_meta AJAX action [CWE-862]. The handler is registered on both wp_ajax and wp_ajax_nopriv hooks, exposing it to unauthenticated users. While a nonce is verified, the wpr-addons-js nonce is published in frontend JavaScript through WprConfig.nonce on any page that loads Royal Addons widgets. Attackers can read the nonce and modify form action configuration metadata on any post.
Critical Impact
Unauthenticated attackers can tamper with email, submissions, Mailchimp, and webhook settings, enabling form data exfiltration through attacker-controlled webhook URLs.
Affected Products
- Royal Addons for Elementor plugin for WordPress
- All versions up to and including 1.7.1056
- WordPress sites loading Royal Addons widgets on any public page
Discovery Timeline
- 2026-05-02 - CVE-2026-4024 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-4024
Vulnerability Analysis
The Royal Addons for Elementor plugin registers the wpr_update_form_action_meta AJAX handler on both authenticated and unauthenticated WordPress hooks. The handler verifies a nonce named wpr-addons-js before processing the request. However, this nonce is exposed publicly on the frontend through the WprConfig.nonce JavaScript variable. Any visitor can extract it from the page source on sites that render Royal Addons widgets.
The endpoint passes user-controlled input directly to update_post_meta() against a whitelisted set of form action meta keys. No capability check or post ownership validation occurs before the metadata write. This allows attackers to modify form configuration on any post regardless of the post author or current user role.
The whitelisted meta keys cover email recipients, submission storage, Mailchimp integration, and webhook delivery URLs. Modifying webhook destinations redirects collected form submissions to attacker-controlled endpoints.
Root Cause
The root cause is a missing authorization control. The plugin treats nonce verification as sufficient access control, but registering the handler on wp_ajax_nopriv and exposing the nonce in public JavaScript makes the nonce a non-secret. The handler omits both current_user_can() capability checks and post ownership validation before invoking update_post_meta().
Attack Vector
An unauthenticated attacker visits any page on the target site that loads a Royal Addons widget. The attacker reads WprConfig.nonce from the rendered page source. Using that nonce, the attacker sends a crafted POST request to /wp-admin/admin-ajax.php with action=wpr_update_form_action_meta and a target post ID. The request overwrites the form's webhook URL or email recipient. Subsequent form submissions on that post are delivered to the attacker-controlled destination, enabling exfiltration of personal data submitted through the form.
For exploitation specifics, refer to the Wordfence Vulnerability Report and the plugin source at wpr-actions-status.php.
Detection Methods for CVE-2026-4024
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php containing action=wpr_update_form_action_meta from unauthenticated sessions or unexpected source IPs.
- Unexpected changes to post meta keys related to Royal Addons form actions, including webhook URLs, email recipients, and Mailchimp configuration.
- Form submissions failing to reach legitimate destinations or appearing in unfamiliar third-party services.
- HTTP requests where the WordPress session cookie is absent but the wpr-addons-js nonce is present.
Detection Strategies
- Inspect web server access logs for admin-ajax.php requests with the wpr_update_form_action_meta action parameter and correlate with the requesting user authentication state.
- Audit the wp_postmeta table for recent modifications to Royal Addons form action meta keys and compare against a known-good baseline.
- Monitor outbound traffic from the WordPress host for connections to unrecognized webhook domains following form submission events.
Monitoring Recommendations
- Enable WordPress audit logging for post meta modifications and review changes to form configuration metadata daily.
- Alert on any wp_ajax_nopriv_wpr_update_form_action_meta invocations at the WAF or reverse proxy layer.
- Track new outbound destinations from form submission workflows and flag domains not previously approved.
How to Mitigate CVE-2026-4024
Immediate Actions Required
- Update the Royal Addons for Elementor plugin to a version later than 1.7.1056 once the vendor releases a patched build.
- Audit all posts using Royal Addons form widgets and verify webhook URLs, email recipients, and Mailchimp settings against expected values.
- Restore tampered form action metadata from a known-good backup if unauthorized modifications are confirmed.
- Rotate any API keys or webhook secrets associated with form integrations exposed during the vulnerable window.
Patch Information
At the time of NVD publication on 2026-05-02, the vulnerability affects all versions up to and including 1.7.1056. Monitor the Wordfence Vulnerability Report and the plugin repository for the fixed release. The fix should add a current_user_can() capability check and post ownership validation before calling update_post_meta().
Workarounds
- Deactivate the Royal Addons for Elementor plugin until a patched version is installed if forms are not business-critical.
- Block requests to /wp-admin/admin-ajax.php containing action=wpr_update_form_action_meta from unauthenticated sources at the WAF or reverse proxy.
- Remove the wp_ajax_nopriv_wpr_update_form_action_meta hook through a custom mu-plugin to disable unauthenticated access to the endpoint.
- Restrict access to pages that render Royal Addons widgets to authenticated users where feasible to limit nonce exposure.
# Example WAF rule (ModSecurity) to block unauthenticated calls
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
"chain,deny,status:403,id:1026424,msg:'Block CVE-2026-4024 exploit attempt'"
SecRule ARGS:action "@streq wpr_update_form_action_meta" \
"chain"
SecRule &REQUEST_COOKIES:/wordpress_logged_in_/ "@eq 0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
