cleantalk
Vulnerabilities and Security Researches

Royal Elementor Addons and Templates, CVE-2025-13067

CVE, Research URL

CVE-2025-13067

Home page URL

Security reports for Royal Elementor Addons and Templates

Application

Royal Elementor Addons and Templates

Published on
Mar 11, 2026
Research Description
The Royal Addons for Elementor plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.7.1049. This is due to insufficient file type validation detecting files named main.php, allowing a file with such a name to bypass sanitization. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected versions
max 1.7.1049.
Status
vulnerable
Previous vulnerability researches
Hello Elementor (CVE-2024-31289) , Jun 10, 2024
Envo's Elementor Templates & Widgets for WooCommerce (CVE-2024-43292) , Aug 20, 2024
Envo's Elementor Templates & Widgets for WooCommerce (CVE-2024-0766) , Jun 10, 2024
Envo's Elementor Templates & Widgets for WooCommerce (CVE-2024-35167) , Jun 10, 2024
Envo's Elementor Templates & Widgets for WooCommerce (CVE-2024-50447) , Oct 27, 2024
New vulnerability
SMTP Mailer (CVE-2026-32538) , Mar 29, 2026
Best WordPress Gallery Plugin – FooGallery (CVE-2026-25362) , Mar 29, 2026
Best WordPress Gallery Plugin – FooGallery (CVE-2026-25363) , Mar 29, 2026
Best WordPress Gallery Plugin – FooGallery (CVE-2025-15524) , Mar 29, 2026
Photo Gallery by 10Web – Mobile-Friendly Image Gallery (CVE-2026-27360) , Mar 29, 2026