CVE-2022-4709: 
WordPress vulnerability analysis and mitigation

CVE-2022-4709 is a security vulnerability discovered in the Royal Elementor Addons WordPress plugin versions below 1.3.60. The vulnerability relates to insufficient access control in the template kit import functionality. It was publicly disclosed on January 10, 2023, and affects websites using the vulnerable plugin versions (WPScan, Wordfence).

The vulnerability stems from the absence of proper authorization and CSRF (Cross-Site Request Forgery) checks when importing and activating templates from the vendor library. The vulnerability has been assigned a CVSS score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. It is classified under CWE-862 and falls into the OWASP Top 10 category A5: Broken Access Control (WPScan).

The vulnerability allows any authenticated user, including those with minimal privileges such as subscribers, to import and activate templates from the vendor library. This could potentially lead to unauthorized modifications of the website's appearance and structure (WPScan).

The vulnerability has been patched in version 1.3.60 of the Royal Elementor Addons plugin. Website administrators are advised to update to this version or later to mitigate the risk (Wordfence).