Atomic Edge analysis of CVE-2026-28135:
The vulnerability is a Missing Authorization (CWE-862) flaw in the Royal Addons for Elementor plugin. The root cause is the absence of a capability check in the `wpr_verify_recaptcha` AJAX handler. This function, defined in the `WPR_Recaptcha_Handler` class within `/royal-elementor-addons/classes/modules/forms/wpr-recaptcha-handler.php`, registers both authenticated (`wp_ajax_wpr_verify_recaptcha`) and unauthenticated (`wp_ajax_nopriv_wpr_verify_recaptcha`) hooks. The vulnerable version performs reCAPTCHA verification without validating if the requesting user has appropriate permissions. Attackers can send a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `wpr_verify_recaptcha`. The handler processes the `g-recaptcha-response` parameter and returns a JSON success or error message. This unauthorized access allows attackers to consume server resources by forcing reCAPTCHA verification requests against Google’s API. The patch adds input sanitization using `sanitize_text_field` and `wp_unslash` for the `g-recaptcha-response` and `recaptcha_version` parameters. However, the core authorization flaw remains unaddressed in the diff. The impact is limited to a low-privilege denial-of-service vector by abusing the external API call, with a CVSS score of 5.3 reflecting moderate impact.