Attack Vectors

CVE-2026-28135 affects the WordPress plugin Royal Addons for Elementor – Addons and Templates Kit for Elementor (slug: royal-elementor-addons) in versions up to and including 1.7.1049. Rated Medium severity (CVSS 5.3), it can be triggered remotely over the internet.

The primary risk scenario is straightforward: if the plugin is installed and active on a public-facing WordPress site, an unauthenticated attacker may be able to send requests that invoke the vulnerable function and cause an unauthorized action—without needing a login and without user interaction.

Security Weakness

The underlying issue is a missing authorization (capability) check on a function in the plugin. In practical terms, the site fails to consistently verify “is this requester allowed to do this?” before performing an action.

Because the weakness involves a missing permission check, the exposure is not limited to stolen credentials or insider misuse. The key business concern is that external, unknown parties may be able to perform actions that should be restricted to trusted users.

Technical or Business Impacts

While the published score indicates no confirmed confidentiality impact and a limited integrity impact, the integrity angle matters for marketing and operations: unauthorized changes can undermine content accuracy, brand trust, and campaign performance.

Potential business impacts include unapproved site changes that create reputational risk, time lost to incident response and remediation, disruption to marketing timelines, and added compliance workload for documenting risk decisions—especially since there is no known patch available at the time of writing.

Given the “no patch” status, leadership teams should decide on mitigations aligned to risk tolerance. For many organizations, the safest path is to uninstall the affected plugin and replace it, then review the site for unexpected changes and strengthen monitoring and access controls around WordPress administration.

Similar Attacks

WordPress plugin vulnerabilities are frequently leveraged at scale because plugins are widely deployed across business sites. Examples of real, widely reported plugin-related incidents include:

WP File Manager 0-day mass exploitation (Wordfence, 2020)
RevSlider vulnerability and mass exploitation (Wordfence, 2014)
WordPress 4.7.2 security release addressing REST API content injection (WordPress.org, 2017)

For reference on this specific issue, track the official record for CVE-2026-28135 and the vendor-reported details from Wordfence.