Description
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `widgetGrid`, `widgetCountDown`, and `widgetInstagramFeed` methods in all versions up to, and including, 1.7.1012 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-04-12
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting enabling arbitrary script execution
Action: Update Plugin
AI Analysis

Impact

The Royal Elementor Addons and Templates plugin for WordPress contains a stored cross‑site scripting flaw in the widgetGrid, widgetCountDown, and widgetInstagramFeed methods. Authenticated contributors or higher can inject malicious JavaScript that is subsequently rendered in any page that displays the affected widget. The injected code will run under the context of every visitor to the page, potentially allowing attackers to steal session cookies, deface content, or launch phishing attacks.

Affected Systems

WordPress installations that include the Royal Elementor Addons and Templates plugin version 1.7.1012 or earlier. These versions expose the vulnerable widget rendering functions and do not provide the required input sanitisation or output escaping.

Risk and Exploitability

The vulnerability has a CVSS score of 6.4, indicating moderate severity, and an EPSS score of < 1 %, suggesting that active exploitation is currently unlikely. It is not listed in the CISA KEV catalog. The attack vector requires the attacker to be authenticated with Contributor‑level access or higher; the injected payload will then affect any visitor who views a page containing the compromised widget.

Generated by OpenCVE AI on April 21, 2026 at 21:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Royal Elementor Addons and Templates to version 1.7.1013 or later to eliminate the XSS vectors.
  • If an upgrade is not immediately possible, remove the plugin or disable the widgetGrid, widgetCountDown, and widgetInstagramFeed widgets to prevent further code injection.
  • Conduct a thorough review and clean of any existing injected scripts from widget content and audit the site for other potential XSS vulnerabilities.

Generated by OpenCVE AI on April 21, 2026 at 21:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10844 The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `widgetGrid`, `widgetCountDown`, and `widgetInstagramFeed` methods in all versions up to, and including, 1.7.1012 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 08 Jul 2025 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Royal-elementor-addons
Royal-elementor-addons royal Elementor Addons
CPEs cpe:2.3:a:royal-elementor-addons:royal_elementor_addons:*:*:*:*:*:wordpress:*:*
Vendors & Products Royal-elementor-addons
Royal-elementor-addons royal Elementor Addons

Mon, 14 Apr 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 12 Apr 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `widgetGrid`, `widgetCountDown`, and `widgetInstagramFeed` methods in all versions up to, and including, 1.7.1012 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Royal Elementor Addons and Templates <= 1.7.1012 - Authenticated DOM-Based (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Royal-elementor-addons Royal Elementor Addons
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:31.165Z

Reserved: 2025-02-18T19:47:03.889Z

Link: CVE-2025-1456

cve-icon Vulnrichment

Updated: 2025-04-13T02:30:30.701Z

cve-icon NVD

Status : Analyzed

Published: 2025-04-12T09:15:16.600

Modified: 2025-07-08T18:21:58.743

Link: CVE-2025-1456

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:30:45Z

Weaknesses