The Royal Addons for Elementor plugin suffers from a missing authorization vulnerability (CWE-862) in the `wpr_update_form_action_meta` AJAX action. This action is registered for both authenticated and unauthenticated users (`wp_ajax` and `wp_ajax_nopriv`), allowing unauthenticated access. Despite nonce verification, the nonce is exposed in frontend JavaScript, making it trivial for attackers to bypass this protection. The endpoint lacks capability or ownership checks and directly updates post meta with user-controlled input on a whitelisted set of keys related to form action configuration. This enables unauthorized modification of form action metadata such as email, submission, Mailchimp, and webhook settings, which could be exploited to alter webhook URLs and exfiltrate data.

An unauthenticated attacker can modify form action configuration metadata on any post, including email and webhook settings. This can lead to tampering with webhook or email actions and potential data exfiltration through maliciously altered webhook URLs. There is no direct confidentiality impact on post content, but integrity of form action configurations is compromised. The CVSS score is 5.3 (medium severity), reflecting the network attack vector, low complexity, no privileges required, no user interaction, and limited impact on integrity only.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch is currently documented. Until a patch is available, restrict or monitor access to the affected AJAX endpoint if possible, and consider disabling the Royal Addons plugin if it is not essential. Avoid exposing the vulnerable plugin on publicly accessible sites without additional access controls. Monitor vendor channels for updates and apply official fixes once released.