Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
72 vulnerabilities by WProyal
CVE-2026-8118 (GCVE-0-2026-8118)
Vulnerability from cvelistv5 – Published: 2026-06-19 04:31 – Updated: 2026-06-22 12:52
VLAI
Title
Royal Addons for Elementor – Addons and Templates Kit for Elementor 1.7.1058 - 1.7.1059 - Authenticated (Contributor+) Arbitrary File Read via Data Table Widget CSV File Source
Summary
The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Arbitrary File Read in versions 1.7.1058 through 1.7.1059. This is due to the wpr_get_csv_handle() helper (introduced in version 1.7.1058 as part of the patch for CVE-2026-6229) falling back to is_readable() and fopen($source, 'r') on the attacker-controlled settings.table_upload_csv.url value when it does not parse as an HTTP URL, with no allow-list, traversal block, or extension check. This makes it possible for authenticated attackers, with Contributor-level access and above, to save a crafted wpr-data-table widget through Elementor's save_builder endpoint and have the rendered preview return the line-by-line contents of any file readable by the PHP process, including wp-config.php.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-73 - External Control of File Name or Path
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wproyal | Royal Addons for Elementor – Addons and Templates Kit for Elementor |
Affected:
1.7.1058 , ≤ 1.7.1059
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8118",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T12:52:44.707388Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T12:52:53.800Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "1.7.1059",
"status": "affected",
"version": "1.7.1058",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jack Taylor"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Arbitrary File Read in versions 1.7.1058 through 1.7.1059. This is due to the wpr_get_csv_handle() helper (introduced in version 1.7.1058 as part of the patch for CVE-2026-6229) falling back to is_readable() and fopen($source, \u0027r\u0027) on the attacker-controlled settings.table_upload_csv.url value when it does not parse as an HTTP URL, with no allow-list, traversal block, or extension check. This makes it possible for authenticated attackers, with Contributor-level access and above, to save a crafted wpr-data-table widget through Elementor\u0027s save_builder endpoint and have the rendered preview return the line-by-line contents of any file readable by the PHP process, including wp-config.php."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T04:31:34.131Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7ce047b-3cd3-475b-9a9f-38d15174e7e5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3532747/royal-elementor-addons"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-07T17:13:25.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-18T16:21:26.000Z",
"value": "Disclosed"
}
],
"title": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor 1.7.1058 - 1.7.1059 - Authenticated (Contributor+) Arbitrary File Read via Data Table Widget CSV File Source"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8118",
"datePublished": "2026-06-19T04:31:34.131Z",
"dateReserved": "2026-05-07T16:50:03.874Z",
"dateUpdated": "2026-06-22T12:52:53.800Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6504 (GCVE-0-2026-6504)
Vulnerability from cvelistv5 – Published: 2026-05-14 08:24 – Updated: 2026-05-14 10:42
VLAI
Title
Royal Addons for Elementor <= 1.7.1058 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title_tag' Parameter
Summary
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title_tag' parameter in all versions up to, and including, 1.7.1058 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wproyal | Royal Addons for Elementor – Addons and Templates Kit for Elementor |
Affected:
0 , ≤ 1.7.1058
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6504",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T10:37:12.831723Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T10:42:12.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "1.7.1058",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Romain Deperne"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027title_tag\u0027 parameter in all versions up to, and including, 1.7.1058 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T08:24:27.810Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ed86e902-7637-481d-9005-7025187ba200?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3525351/royal-elementor-addons/trunk/modules/posts-timeline/widgets/wpr-posts-timeline.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3525351/royal-elementor-addons/trunk/modules/video-playlist/widgets/wpr-video-playlist.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-10T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-04-17T10:42:41.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-13T19:53:33.000Z",
"value": "Disclosed"
}
],
"title": "Royal Addons for Elementor \u003c= 1.7.1058 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027title_tag\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6504",
"datePublished": "2026-05-14T08:24:27.810Z",
"dateReserved": "2026-04-17T10:22:14.570Z",
"dateUpdated": "2026-05-14T10:42:12.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25436 (GCVE-0-2026-25436)
Vulnerability from cvelistv5 – Published: 2026-05-07 07:34 – Updated: 2026-05-07 15:59 X_Open Source
VLAI
Title
WordPress Royal Elementor Addons plugin < 1.7.1053 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in WProyal Royal Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Royal Elementor Addons: from n/a before 1.7.1053.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WProyal | Royal Elementor Addons |
Affected:
n/a , < 1.7.1053
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25436",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T15:58:15.328381Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T15:59:27.450Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "royal-elementor-addons",
"product": "Royal Elementor Addons",
"vendor": "WProyal",
"versions": [
{
"changes": [
{
"at": "1.7.1053",
"status": "unaffected"
}
],
"lessThan": "1.7.1053",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Bao - BlueRock | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in WProyal Royal Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Royal Elementor Addons: from n/a before 1.7.1053.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in WProyal Royal Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels.\n\nThis issue affects Royal Elementor Addons: from n/a before 1.7.1053."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T07:34:02.310Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/royal-elementor-addons/vulnerability/wordpress-royal-elementor-addons-plugin-1-7-1053-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Royal Elementor Addons Plugin to the latest available version (at least 1.7.1053)."
}
],
"value": "Update the WordPress Royal Elementor Addons Plugin to the latest available version (at least 1.7.1053)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress Royal Elementor Addons plugin \u003c 1.7.1053 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-25436",
"datePublished": "2026-05-07T07:34:02.310Z",
"dateReserved": "2026-02-02T12:53:40.963Z",
"dateUpdated": "2026-05-07T15:59:27.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27421 (GCVE-0-2026-27421)
Vulnerability from cvelistv5 – Published: 2026-05-07 07:31 – Updated: 2026-05-07 13:03 X_Open Source
VLAI
Title
WordPress Royal Elementor Addons plugin < 1.7.1053 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WProyal Royal Elementor Addons allows Stored XSS.
This issue affects Royal Elementor Addons: from n/a before 1.7.1053.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WProyal | Royal Elementor Addons |
Affected:
n/a , < 1.7.1053
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27421",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T13:03:31.316310Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T13:03:38.524Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "royal-elementor-addons",
"product": "Royal Elementor Addons",
"vendor": "WProyal",
"versions": [
{
"changes": [
{
"at": "1.7.1053",
"status": "unaffected"
}
],
"lessThan": "1.7.1053",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Peter Thaleikis | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WProyal Royal Elementor Addons allows Stored XSS.\u003cp\u003eThis issue affects Royal Elementor Addons: from n/a before 1.7.1053.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WProyal Royal Elementor Addons allows Stored XSS.\n\nThis issue affects Royal Elementor Addons: from n/a before 1.7.1053."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T07:31:53.388Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/royal-elementor-addons/vulnerability/wordpress-royal-elementor-addons-plugin-1-7-1053-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Royal Elementor Addons Plugin to the latest available version (at least 1.7.1053)."
}
],
"value": "Update the WordPress Royal Elementor Addons Plugin to the latest available version (at least 1.7.1053)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress Royal Elementor Addons plugin \u003c 1.7.1053 - Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-27421",
"datePublished": "2026-05-07T07:31:53.388Z",
"dateReserved": "2026-02-19T09:52:28.127Z",
"dateUpdated": "2026-05-07T13:03:38.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5159 (GCVE-0-2026-5159)
Vulnerability from cvelistv5 – Published: 2026-05-05 03:37 – Updated: 2026-05-05 12:36
VLAI
Title
Royal Addons for Elementor <= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'Follow Button Text' Parameter
Summary
The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget's 'instagram_follow_text' setting in all versions up to, and including, 1.7.1056 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note that exploitation requires that an administrator has previously configured the Instagram Feed widget with a valid Instagram access token on the site.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wproyal | Royal Addons for Elementor – Addons and Templates Kit for Elementor |
Affected:
0 , ≤ 1.7.1056
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5159",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-05T12:36:29.578475Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T12:36:37.792Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "1.7.1056",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Justin Nam"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget\u0027s \u0027instagram_follow_text\u0027 setting in all versions up to, and including, 1.7.1056 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note that exploitation requires that an administrator has previously configured the Instagram Feed widget with a valid Instagram access token on the site."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T03:37:39.544Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ee96d8c5-baf0-4c5c-9ace-e88bbb95ee0a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5528-L5530"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1050/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5528-L5530"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5623-L5625"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1050/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5623-L5625"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/instagram-feed/widgets/wpr-instagram-feed.php#L2181-L2193"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1050/modules/instagram-feed/widgets/wpr-instagram-feed.php#L2181-L2193"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3514368%40royal-elementor-addons%2Ftrunk\u0026old=3503219%40royal-elementor-addons%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-30T14:26:21.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-04T14:53:29.000Z",
"value": "Disclosed"
}
],
"title": "Royal Addons for Elementor \u003c= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027Follow Button Text\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5159",
"datePublished": "2026-05-05T03:37:39.544Z",
"dateReserved": "2026-03-30T14:12:40.826Z",
"dateUpdated": "2026-05-05T12:36:37.792Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4803 (GCVE-0-2026-4803)
Vulnerability from cvelistv5 – Published: 2026-05-05 03:37 – Updated: 2026-05-05 13:46
VLAI
Title
Royal Addons for Elementor <= 1.7.1056 - Unauthenticated Stored Cross-Site Scripting via 'status' Parameter in wpr_update_form_action_meta
Summary
The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'status' parameter in the wpr_update_form_action_meta AJAX action in all versions up to, and including, 1.7.1056. This is due to insufficient input sanitization and output escaping, combined with a publicly leaked nonce that allows unauthenticated access to the AJAX handler. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wproyal | Royal Addons for Elementor – Addons and Templates Kit for Elementor |
Affected:
0 , ≤ 1.7.1056
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4803",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-05T13:46:05.979265Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T13:46:26.057Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "1.7.1056",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "andrea bocchetti"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027status\u0027 parameter in the wpr_update_form_action_meta AJAX action in all versions up to, and including, 1.7.1056. This is due to insufficient input sanitization and output escaping, combined with a publicly leaked nonce that allows unauthenticated access to the AJAX handler. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T03:37:38.588Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c91a14d3-bc41-4490-888c-486ad2994095?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php#L73"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/plugin.php#L613"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php#L21"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-submissions-cpt.php#L23"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3503219/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-25T11:28:37.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-04T14:32:14.000Z",
"value": "Disclosed"
}
],
"title": "Royal Addons for Elementor \u003c= 1.7.1056 - Unauthenticated Stored Cross-Site Scripting via \u0027status\u0027 Parameter in wpr_update_form_action_meta"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4803",
"datePublished": "2026-05-05T03:37:38.588Z",
"dateReserved": "2026-03-25T11:13:17.868Z",
"dateUpdated": "2026-05-05T13:46:26.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4024 (GCVE-0-2026-4024)
Vulnerability from cvelistv5 – Published: 2026-05-02 08:27 – Updated: 2026-05-04 14:49
VLAI
Title
Royal Addons for Elementor <= 1.7.1056 - Missing Authorization to Unauthenticated Form Action Meta Modification
Summary
The Royal Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `wpr_update_form_action_meta` AJAX action in all versions up to, and including, 1.7.1056. The handler is registered on both `wp_ajax` and `wp_ajax_nopriv` hooks, making it accessible to unauthenticated users. Although a nonce is verified, the nonce (`wpr-addons-js`) is publicly exposed in frontend JavaScript via `WprConfig.nonce` on any page that loads Royal Addons widgets, rendering the protection ineffective. The endpoint also lacks any capability or ownership checks and directly calls `update_post_meta()` with user-controlled input on a whitelisted set of form action meta keys. This makes it possible for unauthenticated attackers to modify form action configuration metadata (email, submissions, Mailchimp, and webhook settings) on any post, potentially leading to webhook/email action tampering and data exfiltration via modified webhook URLs.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wproyal | Royal Addons for Elementor – Addons and Templates Kit for Elementor |
Affected:
0 , ≤ 1.7.1056
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4024",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T14:47:25.593109Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T14:49:17.791Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "1.7.1056",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen C"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Royal Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `wpr_update_form_action_meta` AJAX action in all versions up to, and including, 1.7.1056. The handler is registered on both `wp_ajax` and `wp_ajax_nopriv` hooks, making it accessible to unauthenticated users. Although a nonce is verified, the nonce (`wpr-addons-js`) is publicly exposed in frontend JavaScript via `WprConfig.nonce` on any page that loads Royal Addons widgets, rendering the protection ineffective. The endpoint also lacks any capability or ownership checks and directly calls `update_post_meta()` with user-controlled input on a whitelisted set of form action meta keys. This makes it possible for unauthenticated attackers to modify form action configuration metadata (email, submissions, Mailchimp, and webhook settings) on any post, potentially leading to webhook/email action tampering and data exfiltration via modified webhook URLs."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T08:27:04.649Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2ecec7d7-d1b2-4ccf-ade6-1f78224968c6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php#L21"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/classes/modules/forms/wpr-actions-status.php#L21"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php#L73"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/classes/modules/forms/wpr-actions-status.php#L73"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/plugin.php#L592"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/plugin.php#L592"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-11T20:46:34.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-01T20:11:49.000Z",
"value": "Disclosed"
}
],
"title": "Royal Addons for Elementor \u003c= 1.7.1056 - Missing Authorization to Unauthenticated Form Action Meta Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4024",
"datePublished": "2026-05-02T08:27:04.649Z",
"dateReserved": "2026-03-11T20:30:55.411Z",
"dateUpdated": "2026-05-04T14:49:17.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6229 (GCVE-0-2026-6229)
Vulnerability from cvelistv5 – Published: 2026-05-02 07:46 – Updated: 2026-05-04 13:39
VLAI
Title
Royal Addons for Elementor <= 1.7.1057 - Authenticated (Contributor+) Server-Side Request Forgery via CSV URL Parameter
Summary
The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.7.1057. This is due to insufficient validation of user-supplied URLs in the render_csv_data() function, which can be bypassed by including 'docs.google.com/spreadsheets' in a query parameter, and the subsequent use of these URLs in fopen() calls without blocking internal or private network addresses. This makes it possible for authenticated attackers, with Contributor-level access and above, to make requests to arbitrary URLs and retrieve sensitive information from internal services.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wproyal | Royal Addons for Elementor – Addons and Templates Kit for Elementor |
Affected:
0 , ≤ 1.7.1057
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6229",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T13:39:04.423284Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T13:39:10.866Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "1.7.1057",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.7.1057. This is due to insufficient validation of user-supplied URLs in the render_csv_data() function, which can be bypassed by including \u0027docs.google.com/spreadsheets\u0027 in a query parameter, and the subsequent use of these URLs in fopen() calls without blocking internal or private network addresses. This makes it possible for authenticated attackers, with Contributor-level access and above, to make requests to arbitrary URLs and retrieve sensitive information from internal services."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T07:46:41.839Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9744055a-b199-4945-afcc-4f5b85f5f1e8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/data-table/widgets/wpr-data-table.php#L1873"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/modules/data-table/widgets/wpr-data-table.php#L1873"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/data-table/widgets/wpr-data-table.php#L1918"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/modules/data-table/widgets/wpr-data-table.php#L1918"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/data-table/widgets/wpr-data-table.php#L1832"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/modules/data-table/widgets/wpr-data-table.php#L1832"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/data-table/widgets/wpr-data-table.php#L2075"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/modules/data-table/widgets/wpr-data-table.php#L2075"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3514363%40royal-elementor-addons\u0026new=3514363%40royal-elementor-addons\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-13T14:36:01.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-01T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Royal Addons for Elementor \u003c= 1.7.1057 - Authenticated (Contributor+) Server-Side Request Forgery via CSV URL Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6229",
"datePublished": "2026-05-02T07:46:41.839Z",
"dateReserved": "2026-04-13T14:20:48.540Z",
"dateUpdated": "2026-05-04T13:39:10.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5428 (GCVE-0-2026-5428)
Vulnerability from cvelistv5 – Published: 2026-04-24 05:29 – Updated: 2026-04-24 18:24
VLAI
Title
Royal Addons for Elementor <= 1.7.1056 - Authenticated (Author+) Stored Cross-Site Scripting via Image Caption Field
Summary
The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image captions in the Image Grid/Slider/Carousel widget in versions up to and including 1.7.1056. This is due to insufficient output escaping in the render_post_thumbnail() function, where wp_kses_post() is used instead of esc_attr() for the alt attribute context. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page with the malicious image displayed in the media grid widget.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wproyal | Royal Addons for Elementor – Addons and Templates Kit for Elementor |
Affected:
0 , ≤ 1.7.1056
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5428",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T18:24:35.466658Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T18:24:57.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "1.7.1056",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image captions in the Image Grid/Slider/Carousel widget in versions up to and including 1.7.1056. This is due to insufficient output escaping in the render_post_thumbnail() function, where wp_kses_post() is used instead of esc_attr() for the alt attribute context. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page with the malicious image displayed in the media grid widget."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T05:29:38.884Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ba7b8fe5-aa49-4a70-89c9-1b95a30b1142?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/media-grid/widgets/wpr-media-grid.php#L6755"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/modules/media-grid/widgets/wpr-media-grid.php#L6755"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/media-grid/widgets/wpr-media-grid.php#L6752"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/modules/media-grid/widgets/wpr-media-grid.php#L6752"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3503209%40royal-elementor-addons\u0026new=3503209%40royal-elementor-addons\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-02T14:46:10.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-23T16:35:20.000Z",
"value": "Disclosed"
}
],
"title": "Royal Addons for Elementor \u003c= 1.7.1056 - Authenticated (Author+) Stored Cross-Site Scripting via Image Caption Field"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5428",
"datePublished": "2026-04-24T05:29:38.884Z",
"dateReserved": "2026-04-02T14:30:44.825Z",
"dateUpdated": "2026-04-24T18:24:57.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5162 (GCVE-0-2026-5162)
Vulnerability from cvelistv5 – Published: 2026-04-17 01:24 – Updated: 2026-04-17 18:48
VLAI
Title
Royal Addons for Elementor <= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting via Instagram Feed Widget
Summary
The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget's 'instagram_follow_text' setting in all versions up to, and including, 1.7.1056 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wproyal | Royal Addons for Elementor – Addons and Templates Kit for Elementor |
Affected:
0 , ≤ 1.7.1056
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5162",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-17T18:48:14.470866Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T18:48:24.671Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "1.7.1056",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Justin Nam"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget\u0027s \u0027instagram_follow_text\u0027 setting in all versions up to, and including, 1.7.1056 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T01:24:36.629Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/16d083bc-d726-4291-bc6d-a7bf83fa78c3?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5528"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5623"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5334"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3503219/royal-elementor-addons/trunk/modules/instagram-feed/widgets/wpr-instagram-feed.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-30T14:48:44.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-16T13:10:11.000Z",
"value": "Disclosed"
}
],
"title": "Royal Addons for Elementor \u003c= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting via Instagram Feed Widget"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5162",
"datePublished": "2026-04-17T01:24:36.629Z",
"dateReserved": "2026-03-30T14:33:28.467Z",
"dateUpdated": "2026-04-17T18:48:24.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4305 (GCVE-0-2026-4305)
Vulnerability from cvelistv5 – Published: 2026-04-10 01:25 – Updated: 2026-04-13 15:15
VLAI
Title
Royal WordPress Backup & Restore Plugin <= 1.0.16 - Reflected Cross-Site Scripting via 'wpr_pending_template' Parameter
Summary
The Royal WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpr_pending_template' parameter in all versions up to, and including, 1.0.16 due to insufficient input validation. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wproyal | Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely |
Affected:
0 , ≤ 1.0.16
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4305",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T15:08:42.377292Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T15:15:09.194Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Royal WordPress Backup, Restore \u0026 Migration Plugin \u2013 Backup WordPress Sites Safely",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "1.0.16",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abi Wiranata"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Royal WordPress Backup \u0026 Restore Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u0027wpr_pending_template\u0027 parameter in all versions up to, and including, 1.0.16 due to insufficient input validation. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T01:25:00.917Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f9e0c658-b37c-4780-9589-6def9e36539b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-backup-reset/tags/1.0.16/royal-backup-reset.php#L803"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-backup-reset/tags/1.0.16/assets/backup-reminder.js#L751"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Froyal-backup-reset/tags/1.0.16\u0026new_path=%2Froyal-backup-reset/tags/1.0.17"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-09T12:23:20.000Z",
"value": "Disclosed"
}
],
"title": "Royal WordPress Backup \u0026 Restore Plugin \u003c= 1.0.16 - Reflected Cross-Site Scripting via \u0027wpr_pending_template\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4305",
"datePublished": "2026-04-10T01:25:00.917Z",
"dateReserved": "2026-03-16T20:37:11.594Z",
"dateUpdated": "2026-04-13T15:15:09.194Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39627 (GCVE-0-2026-39627)
Vulnerability from cvelistv5 – Published: 2026-04-08 08:30 – Updated: 2026-04-29 09:52
VLAI
Title
WordPress Ashe theme <= 2.266 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in wproyal Ashe ashe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ashe: from n/a through <= 2.266.
Severity
4.3 (Medium)
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Theme/a… | vdb-entry |
Date Public
2026-04-08 10:28
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-39627",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T18:56:50.974269Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T20:25:43.485Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "ashe",
"product": "Ashe",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "2.266",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-08T10:28:33.648Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in wproyal Ashe ashe allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Ashe: from n/a through \u003c= 2.266.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in wproyal Ashe ashe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ashe: from n/a through \u003c= 2.266."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T09:52:02.867Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Theme/ashe/vulnerability/wordpress-ashe-theme-2-266-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress Ashe theme \u003c= 2.266 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-39627",
"datePublished": "2026-04-08T08:30:27.618Z",
"dateReserved": "2026-04-07T10:57:36.651Z",
"dateUpdated": "2026-04-29T09:52:02.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0664 (GCVE-0-2026-0664)
Vulnerability from cvelistv5 – Published: 2026-04-04 07:41 – Updated: 2026-04-08 16:44
VLAI
Title
Royal Elementor Addons <= 1.7.1049 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API Meta Bypass
Summary
The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_text' parameter in all versions up to, and including, 1.7.1049 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wproyal | Royal Addons for Elementor – Addons and Templates Kit for Elementor |
Affected:
0 , ≤ 1.7.1049
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0664",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T13:20:58.130315Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T13:21:09.522Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "1.7.1049",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "knani alaaeddine"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027button_text\u0027 parameter in all versions up to, and including, 1.7.1049 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:44:08.627Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d4225a6-4aae-49a5-93e1-8dcc9a77e089?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1050/modules/form-builder/widgets/wpr-form-builder.php?marks=3754,3984-3985#L3754"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-29T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-01-07T10:58:24.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-03T19:31:46.000Z",
"value": "Disclosed"
}
],
"title": "Royal Elementor Addons \u003c= 1.7.1049 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API Meta Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0664",
"datePublished": "2026-04-04T07:41:57.532Z",
"dateReserved": "2026-01-07T10:42:20.069Z",
"dateUpdated": "2026-04-08T16:44:08.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24382 (GCVE-0-2026-24382)
Vulnerability from cvelistv5 – Published: 2026-03-25 16:14 – Updated: 2026-04-28 16:14
VLAI
Title
WordPress News Magazine X theme <= 1.2.50 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in wproyal News Magazine X news-magazine-x allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects News Magazine X: from n/a through <= 1.2.50.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Theme/n… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wproyal | News Magazine X |
Affected:
0 , ≤ 1.2.50
(custom)
|
Date Public
2026-04-22 14:18
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24382",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T19:39:17.652549Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T14:05:02.026Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "news-magazine-x",
"product": "News Magazine X",
"vendor": "wproyal",
"versions": [
{
"changes": [
{
"at": "1.2.51",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.2.50",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "John P | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-22T14:18:29.181Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in wproyal News Magazine X news-magazine-x allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects News Magazine X: from n/a through \u003c= 1.2.50.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in wproyal News Magazine X news-magazine-x allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects News Magazine X: from n/a through \u003c= 1.2.50."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:14:48.412Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Theme/news-magazine-x/vulnerability/wordpress-news-magazine-x-theme-1-2-50-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress News Magazine X theme \u003c= 1.2.50 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-24382",
"datePublished": "2026-03-25T16:14:32.688Z",
"dateReserved": "2026-01-22T14:42:40.516Z",
"dateUpdated": "2026-04-28T16:14:48.412Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2373 (GCVE-0-2026-2373)
Vulnerability from cvelistv5 – Published: 2026-03-17 03:36 – Updated: 2026-04-08 17:20
VLAI
Title
Royal Addons for Elementor – Addons and Templates Kit for Elementor <= 1.7.1049 - Missing Authorization to Unauthenticated Custom Post Type Contents Exposure
Summary
The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.1049 via the get_main_query_args() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract contents of non-public custom post types, such as Contact Form 7 submissions or WooCommerce coupons.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wproyal | Royal Addons for Elementor – Addons and Templates Kit for Elementor |
Affected:
0 , ≤ 1.7.1049
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2373",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-17T13:25:07.262434Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-17T13:25:15.811Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "1.7.1049",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qu\u1ed1c Huy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.1049 via the get_main_query_args() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract contents of non-public custom post types, such as Contact Form 7 submissions or WooCommerce coupons."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:20:32.228Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c4192a7f-b962-46f9-a524-7271ed6f4917?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3475656/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-11T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-02-11T21:03:05.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-16T15:17:51.000Z",
"value": "Disclosed"
}
],
"title": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor \u003c= 1.7.1049 - Missing Authorization to Unauthenticated Custom Post Type Contents Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2373",
"datePublished": "2026-03-17T03:36:25.155Z",
"dateReserved": "2026-02-11T20:47:09.620Z",
"dateUpdated": "2026-04-08T17:20:32.228Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13067 (GCVE-0-2025-13067)
Vulnerability from cvelistv5 – Published: 2026-03-11 04:25 – Updated: 2026-04-08 16:48
VLAI
Title
Royal Addons for Elementor <= 1.7.1049 - Authenticated (Author+) Arbitrary File Upload via main.php Upload Bypass
Summary
The Royal Addons for Elementor plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.7.1049. This is due to insufficient file type validation detecting files named main.php, allowing a file with such a name to bypass sanitization. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wproyal | Royal Addons for Elementor – Addons and Templates Kit for Elementor |
Affected:
0 , ≤ 1.7.1049
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13067",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T15:37:38.195155Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T15:39:46.804Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "1.7.1049",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Mazzolini"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Royal Addons for Elementor plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.7.1049. This is due to insufficient file type validation detecting files named main.php, allowing a file with such a name to bypass sanitization. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site\u0027s server which may make remote code execution possible."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:48:04.452Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3edfc4af-2a28-4bdf-becf-018d9f656947?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3475656/royal-elementor-addons"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-12T13:51:01.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-10T15:36:21.000Z",
"value": "Disclosed"
}
],
"title": "Royal Addons for Elementor \u003c= 1.7.1049 - Authenticated (Author+) Arbitrary File Upload via main.php Upload Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13067",
"datePublished": "2026-03-11T04:25:47.029Z",
"dateReserved": "2025-11-12T13:35:40.830Z",
"dateUpdated": "2026-04-08T16:48:04.452Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-63018 (GCVE-0-2025-63018)
Vulnerability from cvelistv5 – Published: 2026-01-22 16:51 – Updated: 2026-04-28 16:14
VLAI
Title
WordPress Bard theme <= 2.229 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in wproyal Bard bard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bard: from n/a through <= 2.229.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Theme/b… | vdb-entry |
Date Public
2026-04-22 14:21
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-63018",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T18:14:04.115091Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T18:14:07.113Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "bard",
"product": "Bard",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "2.229",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mohamad Fattyr | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-22T14:21:36.793Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in wproyal Bard bard allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Bard: from n/a through \u003c= 2.229.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in wproyal Bard bard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bard: from n/a through \u003c= 2.229."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:14:08.705Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Theme/bard/vulnerability/wordpress-bard-theme-2-229-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress Bard theme \u003c= 2.229 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-63018",
"datePublished": "2026-01-22T16:51:48.143Z",
"dateReserved": "2025-10-24T14:25:34.658Z",
"dateUpdated": "2026-04-28T16:14:08.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5092 (GCVE-0-2025-5092)
Vulnerability from cvelistv5 – Published: 2025-11-20 06:38 – Updated: 2026-04-08 17:14
VLAI
Title
Multiple Plugins and Themes <= (Various Versions) - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via lightGallery JavaScript Library
Summary
Multiple plugins and/or themes for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled lightGallery library (<= 2.8.3) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
7 references
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
| lightgalleryteam | LightGallery WP |
Affected:
0 , ≤ 1.0.5
(semver)
|
|
| tplugins | TP WooCommerce Product Gallery |
Affected:
0 , ≤ 1.1.9
(semver)
|
|
| vowelweb | Ibtana – WordPress Website Builder |
Affected:
0 , ≤ 1.2.5.1
(semver)
|
|
| wproyal | Royal Addons for Elementor – Addons and Templates Kit for Elementor |
Affected:
0 , ≤ 1.7.1031
(semver)
|
|
| wpsofts | Portfolio, Gallery, Product Catalog – Grid KIT Portfolio |
Affected:
0 , ≤ 2.2.1
(semver)
|
|
| famethemes | OnePress |
Affected:
0 , ≤ 2.3.16
(semver)
|
|
| galaxyweblinks | Gallery with thumbnail slider |
Affected:
0 , ≤ 7.8
(semver)
|
|
| oxilab | Image Hover Effects Ultimate ( Image Gallery, Effects, Lightbox, Comparison & Magnifier ) |
Affected:
0 , ≤ 9.10.5
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5092",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-20T15:43:06.923714Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T15:43:12.710Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LightGallery WP",
"vendor": "lightgalleryteam",
"versions": [
{
"lessThanOrEqual": "1.0.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TP WooCommerce Product Gallery",
"vendor": "tplugins",
"versions": [
{
"lessThanOrEqual": "1.1.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Ibtana \u2013 WordPress Website Builder",
"vendor": "vowelweb",
"versions": [
{
"lessThanOrEqual": "1.2.5.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "1.7.1031",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Portfolio, Gallery, Product Catalog \u2013 Grid KIT Portfolio",
"vendor": "wpsofts",
"versions": [
{
"lessThanOrEqual": "2.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "OnePress",
"vendor": "famethemes",
"versions": [
{
"lessThanOrEqual": "2.3.16",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Gallery with thumbnail slider",
"vendor": "galaxyweblinks",
"versions": [
{
"lessThanOrEqual": "7.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Image Hover Effects Ultimate ( Image Gallery, Effects, Lightbox, Comparison \u0026 Magnifier )",
"vendor": "oxilab",
"versions": [
{
"lessThanOrEqual": "9.10.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Craig Smith"
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple plugins and/or themes for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin\u0027s bundled lightGallery library (\u003c= 2.8.3) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:14:57.172Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/acaa3142-2bbc-43d3-8ecc-05e8edb931ec?source=cve"
},
{
"url": "https://github.com/sachinchoolur/lightGallery"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3311382/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3356089/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3372141/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3343557/"
},
{
"url": "https://themes.trac.wordpress.org/changeset/299860"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-11T08:22:48.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-19T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Multiple Plugins and Themes \u003c= (Various Versions) - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via lightGallery JavaScript Library"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-5092",
"datePublished": "2025-11-20T06:38:41.693Z",
"dateReserved": "2025-05-22T16:48:25.802Z",
"dateUpdated": "2026-04-08T17:14:57.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-6251 (GCVE-0-2025-6251)
Vulnerability from cvelistv5 – Published: 2025-11-19 03:29 – Updated: 2026-04-08 17:31
VLAI
Title
Royal Elementor Addons and Templates <= 1.7.1036 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via $item['field_id'] in all versions up to, and including, 1.7.1036 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wproyal | Royal Addons for Elementor – Addons and Templates Kit for Elementor |
Affected:
0 , ≤ 1.7.1036
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6251",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T20:07:46.929506Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T20:07:58.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "1.7.1036",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matthew Rollings"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via $item[\u0027field_id\u0027] in all versions up to, and including, 1.7.1036 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:31:06.358Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ead108c4-ac09-42ea-95c5-e95dc514f1cb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/form-builder/widgets/wpr-form-builder.php#L4023"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-18T19:37:08.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-18T15:19:11.000Z",
"value": "Disclosed"
}
],
"title": "Royal Elementor Addons and Templates \u003c= 1.7.1036 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-6251",
"datePublished": "2025-11-19T03:29:39.598Z",
"dateReserved": "2025-06-18T19:21:08.910Z",
"dateUpdated": "2026-04-08T17:31:06.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-24766 (GCVE-0-2025-24766)
Vulnerability from cvelistv5 – Published: 2025-08-14 10:34 – Updated: 2026-04-28 16:11
VLAI
Title
WordPress News Magazine X <= 1.2.35 - Local File Inclusion Vulnerability
Summary
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wproyal News Magazine X news-magazine-x allows PHP Local File Inclusion.This issue affects News Magazine X: from n/a through <= 1.2.37.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Theme/n… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wproyal | News Magazine X |
Affected:
0 , ≤ 1.2.37
(custom)
|
Date Public
2026-04-01 16:34
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24766",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-14T14:22:39.942819Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T14:42:29.851Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "news-magazine-x",
"product": "News Magazine X",
"vendor": "wproyal",
"versions": [
{
"changes": [
{
"at": "1.2.38",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.2.37",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "LVT-tholv2k | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:34:43.301Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in wproyal News Magazine X news-magazine-x allows PHP Local File Inclusion.\u003cp\u003eThis issue affects News Magazine X: from n/a through \u003c= 1.2.37.\u003c/p\u003e"
}
],
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in wproyal News Magazine X news-magazine-x allows PHP Local File Inclusion.This issue affects News Magazine X: from n/a through \u003c= 1.2.37."
}
],
"impacts": [
{
"capecId": "CAPEC-252",
"descriptions": [
{
"lang": "en",
"value": "PHP Local File Inclusion"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:11:34.362Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Theme/news-magazine-x/vulnerability/wordpress-news-magazine-x-1-2-35-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"title": "WordPress News Magazine X \u003c= 1.2.35 - Local File Inclusion Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-24766",
"datePublished": "2025-08-14T10:34:36.787Z",
"dateReserved": "2025-01-23T14:53:16.439Z",
"dateUpdated": "2026-04-28T16:11:34.362Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5338 (GCVE-0-2025-5338)
Vulnerability from cvelistv5 – Published: 2025-06-26 09:22 – Updated: 2026-04-08 16:41
VLAI
Title
Royal Elementor Addons <= 1.7.1028 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Multiple Widgets
Summary
The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.7.1028 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wproyal | Royal Addons for Elementor – Addons and Templates Kit for Elementor |
Affected:
0 , ≤ 1.7.1028
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5338",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-26T13:09:43.796424Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-26T13:10:11.925Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "1.7.1028",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Asaf Mozes"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.7.1028 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:41:11.402Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/201ff7b6-d72a-43c3-a7b1-c4f917c9d27f?source=cve"
},
{
"url": "https://wordpress.org/plugins/royal-elementor-addons/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1022/assets/js/frontend.js"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3338468/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-11T08:22:48.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-06-25T20:58:34.000Z",
"value": "Disclosed"
}
],
"title": "Royal Elementor Addons \u003c= 1.7.1028 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Multiple Widgets"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-5338",
"datePublished": "2025-06-26T09:22:02.905Z",
"dateReserved": "2025-05-29T21:17:30.244Z",
"dateUpdated": "2026-04-08T16:41:11.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-3813 (GCVE-0-2025-3813)
Vulnerability from cvelistv5 – Published: 2025-05-31 07:22 – Updated: 2026-04-08 17:17
VLAI
Title
Royal Elementor Addons and Templates <= 1.7.1020 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_elementor_data’ parameter in all versions up to, and including, 1.7.1020 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wproyal | Royal Addons for Elementor – Addons and Templates Kit for Elementor |
Affected:
0 , ≤ 1.7.1020
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3813",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-02T15:37:54.278413Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T15:48:56.037Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "1.7.1020",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Brian Sans-Souci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018_elementor_data\u2019 parameter in all versions up to, and including, 1.7.1020 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:17:59.756Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b957eb0d-882d-4646-ad84-9c64f957be14?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-submissions-cpt.php#L24"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-submissions-cpt.php#L75"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1021/classes/modules/forms/wpr-submissions-cpt.php?rev=3301438"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-30T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Royal Elementor Addons and Templates \u003c= 1.7.1020 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-3813",
"datePublished": "2025-05-31T07:22:12.475Z",
"dateReserved": "2025-04-18T19:11:18.073Z",
"dateUpdated": "2026-04-08T17:17:59.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39361 (GCVE-0-2025-39361)
Vulnerability from cvelistv5 – Published: 2025-05-07 09:03 – Updated: 2026-05-12 00:14
VLAI
Title
WordPress Royal Elementor Addons plugin <= 1.7.1017 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Stored XSS.This issue affects Royal Elementor Addons: from n/a through <= 1.7.1017.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WP Royal | Royal Elementor Addons |
Affected:
0 , ≤ 1.7.1017
(custom)
|
Date Public
2026-04-01 16:39
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-39361",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T13:53:07.881109Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T00:14:03.703Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "royal-elementor-addons",
"product": "Royal Elementor Addons",
"vendor": "WP Royal",
"versions": [
{
"changes": [
{
"at": "1.7.1018",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.7.1017",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:39:04.387Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Stored XSS.\u003cp\u003eThis issue affects Royal Elementor Addons: from n/a through \u003c= 1.7.1017.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Stored XSS.This issue affects Royal Elementor Addons: from n/a through \u003c= 1.7.1017."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:12:29.431Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/royal-elementor-addons/vulnerability/wordpress-royal-elementor-addons-plugin-1-7-1017-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Royal Elementor Addons plugin \u003c= 1.7.1017 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-39361",
"datePublished": "2025-05-07T09:03:05.729Z",
"dateReserved": "2025-04-16T06:22:20.495Z",
"dateUpdated": "2026-05-12T00:14:03.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-12120 (GCVE-0-2024-12120)
Vulnerability from cvelistv5 – Published: 2025-05-07 07:21 – Updated: 2026-04-08 16:56
VLAI
Title
Royal Elementor Addons and Templates <= 1.7.1017 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown widget display_message_text parameter in all versions up to, and including, 1.7.1017 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wproyal | Royal Addons for Elementor – Addons and Templates Kit for Elementor |
Affected:
0 , ≤ 1.7.1017
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12120",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T13:45:22.124206Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T14:00:55.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "1.7.1017",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "D.Sim"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown widget display_message_text parameter in all versions up to, and including, 1.7.1017 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:56:15.793Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5ee7b4d8-c397-41f6-981f-9a010e4ab2f1?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3236381/royal-elementor-addons/tags/1.7.1008/modules/countdown/widgets/wpr-countdown.php?old=3220755\u0026old_path=royal-elementor-addons%2Ftags%2F1.7.1007%2Fmodules%2Fcountdown%2Fwidgets%2Fwpr-countdown.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3285549/royal-elementor-addons/tags/1.7.1018/assets/js/frontend.js?old=3277554\u0026old_path=royal-elementor-addons%2Ftags%2F1.7.1017%2Fassets%2Fjs%2Ffrontend.js"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-06T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Royal Elementor Addons and Templates \u003c= 1.7.1017 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12120",
"datePublished": "2025-05-07T07:21:40.882Z",
"dateReserved": "2024-12-03T21:43:55.865Z",
"dateUpdated": "2026-04-08T16:56:15.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1456 (GCVE-0-2025-1456)
Vulnerability from cvelistv5 – Published: 2025-04-12 08:22 – Updated: 2026-04-08 16:58
VLAI
Title
Royal Elementor Addons and Templates <= 1.7.1012 - Authenticated DOM-Based (Contributor+) Stored Cross-Site Scripting
Summary
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `widgetGrid`, `widgetCountDown`, and `widgetInstagramFeed` methods in all versions up to, and including, 1.7.1012 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wproyal | Royal Addons for Elementor – Addons and Templates Kit for Elementor |
Affected:
0 , ≤ 1.7.1012
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1456",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-13T02:24:04.590981Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T18:05:48.768Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "1.7.1012",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Craig Smith"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `widgetGrid`, `widgetCountDown`, and `widgetInstagramFeed` methods in all versions up to, and including, 1.7.1012 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:58:31.165Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/68c6e428-b9cf-442f-a896-a8ceb4b9be0e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/assets/js/frontend.min.js"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3262790/royal-elementor-addons/tags/1.7.1013/assets/js/frontend.js?old=3255849\u0026old_path=royal-elementor-addons%2Ftags%2F1.7.1012%2Fassets%2Fjs%2Ffrontend.js"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-11T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Royal Elementor Addons and Templates \u003c= 1.7.1012 - Authenticated DOM-Based (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-1456",
"datePublished": "2025-04-12T08:22:40.950Z",
"dateReserved": "2025-02-18T19:47:03.889Z",
"dateUpdated": "2026-04-08T16:58:31.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1455 (GCVE-0-2025-1455)
Vulnerability from cvelistv5 – Published: 2025-04-12 08:22 – Updated: 2026-04-08 16:53
VLAI
Title
Royal Elementor Addons and Templates <= 1.7.1012 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Woo Grid widget in all versions up to, and including, 1.7.1012 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wproyal | Royal Addons for Elementor – Addons and Templates Kit for Elementor |
Affected:
0 , ≤ 1.7.1012
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1455",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-12T15:44:21.373959Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T15:44:30.150Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "1.7.1012",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matthew Rollings"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Woo Grid widget in all versions up to, and including, 1.7.1012 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:53:40.760Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5666e2b7-acb3-4abb-ac2a-1575206435cf?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/woo-grid/widgets/wpr-woo-grid.php#L9280"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3262790/royal-elementor-addons/tags/1.7.1013/modules/woo-grid/widgets/wpr-woo-grid.php?old=3255849\u0026old_path=royal-elementor-addons%2Ftags%2F1.7.1012%2Fmodules%2Fwoo-grid%2Fwidgets%2Fwpr-woo-grid.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-11T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Royal Elementor Addons and Templates \u003c= 1.7.1012 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-1455",
"datePublished": "2025-04-12T08:22:39.981Z",
"dateReserved": "2025-02-18T19:42:38.091Z",
"dateUpdated": "2026-04-08T16:53:40.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1441 (GCVE-0-2025-1441)
Vulnerability from cvelistv5 – Published: 2025-02-19 04:21 – Updated: 2026-04-08 16:59
VLAI
Title
Royal Elementor Addons and Templates <= 1.7.1007 - Cross-Site Request Forgery to Reflected Cross-Site Scripting
Summary
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1007. This is due to missing or incorrect nonce validation on the 'wpr_filter_woo_products' function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wproyal | Royal Addons for Elementor – Addons and Templates Kit for Elementor |
Affected:
0 , ≤ 1.7.1007
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1441",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T14:57:32.459039Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T14:57:36.571Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "1.7.1007",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matthew Rollings"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1007. This is due to missing or incorrect nonce validation on the \u0027wpr_filter_woo_products\u0027 function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:59:03.790Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6bc6a436-6df3-4eaf-a16b-d8b3c3ca7d87?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1008/classes/modules/wpr-filter-woo-products.php#L1904"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1007/classes/modules/wpr-filter-woo-products.php#L1895"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-18T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Royal Elementor Addons and Templates \u003c= 1.7.1007 - Cross-Site Request Forgery to Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-1441",
"datePublished": "2025-02-19T04:21:28.536Z",
"dateReserved": "2025-02-18T15:29:36.812Z",
"dateUpdated": "2026-04-08T16:59:03.790Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-0393 (GCVE-0-2025-0393)
Vulnerability from cvelistv5 – Published: 2025-01-14 08:23 – Updated: 2026-04-08 17:14
VLAI
Title
Royal Elementor Addons and Templates <= 1.7.1006 - Cross-Site Request Forgery to Reflected Cross-Site Scripting
Summary
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1006. This is due to missing or incorrect nonce validation on the wpr_filter_grid_posts() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wproyal | Royal Addons for Elementor – Addons and Templates Kit for Elementor |
Affected:
0 , ≤ 1.7.1006
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0393",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T14:46:37.531996Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T14:46:41.571Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "1.7.1006",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matthew Rollings"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1006. This is due to missing or incorrect nonce validation on the wpr_filter_grid_posts() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:14:00.238Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a8e34c05-7431-4acd-91f3-aab5e66f61ad?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1006/classes/modules/wpr-filter-grid-posts.php#L391"
},
{
"url": "https://wordpress.org/plugins/royal-elementor-addons/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1006/classes/modules/wpr-filter-grid-posts.php#L1260"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3220959/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-13T19:52:46.000Z",
"value": "Disclosed"
}
],
"title": "Royal Elementor Addons and Templates \u003c= 1.7.1006 - Cross-Site Request Forgery to Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-0393",
"datePublished": "2025-01-14T08:23:13.840Z",
"dateReserved": "2025-01-10T17:57:05.336Z",
"dateUpdated": "2026-04-08T17:14:00.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-37490 (GCVE-0-2024-37490)
Vulnerability from cvelistv5 – Published: 2025-01-02 12:00 – Updated: 2026-04-28 16:09
VLAI
Title
WordPress Bard theme <= 2.210 - Cross Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in wproyal Bard bard allows Cross Site Request Forgery.This issue affects Bard: from n/a through <= 2.210.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Theme/b… | vdb-entry |
Date Public
2026-04-01 16:26
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37490",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-02T14:45:26.054762Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-02T14:52:05.565Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "bard",
"product": "Bard",
"vendor": "wproyal",
"versions": [
{
"changes": [
{
"at": "2.211",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.210",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dhabaleshwar Das | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:26:33.860Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in wproyal Bard bard allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Bard: from n/a through \u003c= 2.210.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in wproyal Bard bard allows Cross Site Request Forgery.This issue affects Bard: from n/a through \u003c= 2.210."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:59.789Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Theme/bard/vulnerability/wordpress-bard-theme-2-210-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"title": "WordPress Bard theme \u003c= 2.210 - Cross Site Request Forgery (CSRF) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-37490",
"datePublished": "2025-01-02T12:00:56.765Z",
"dateReserved": "2024-06-09T11:43:52.669Z",
"dateUpdated": "2026-04-28T16:09:59.789Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-37478 (GCVE-0-2024-37478)
Vulnerability from cvelistv5 – Published: 2025-01-02 12:00 – Updated: 2026-04-28 16:09
VLAI
Title
WordPress Ashe theme <= 2.233 - Cross Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in wproyal Ashe ashe allows Cross Site Request Forgery.This issue affects Ashe: from n/a through <= 2.233.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Theme/a… | vdb-entry |
Date Public
2026-04-01 16:26
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37478",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-02T14:45:32.442703Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-02T14:52:05.671Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "ashe",
"product": "Ashe",
"vendor": "wproyal",
"versions": [
{
"changes": [
{
"at": "2.234",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.233",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dhabaleshwar Das | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:26:32.673Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in wproyal Ashe ashe allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Ashe: from n/a through \u003c= 2.233.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in wproyal Ashe ashe allows Cross Site Request Forgery.This issue affects Ashe: from n/a through \u003c= 2.233."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:59.748Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Theme/ashe/vulnerability/wordpress-ashe-theme-2-233-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"title": "WordPress Ashe theme \u003c= 2.233 - Cross Site Request Forgery (CSRF) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-37478",
"datePublished": "2025-01-02T12:00:56.190Z",
"dateReserved": "2024-06-09T11:43:13.096Z",
"dateUpdated": "2026-04-28T16:09:59.748Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}