Description
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_elementor_data’ parameter in all versions up to, and including, 1.7.1020 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-05-31
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting that allows an authenticated contributor to inject arbitrary scripts into WordPress pages, potentially leading to defacement, cookie theft, or malicious code execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the Royal Elementor Addons plugin, where the '_elementor_data' field accepts unsanitized input. Authenticated users with Contributor-level access or higher can inject JavaScript that is saved and executed whenever any site visitor loads a page containing the injected content. This can lead to defacement, cookie theft, or malicious code execution in a victim’s browser, as described by CWE‑79.

Affected Systems

The flaw affects the WordPress plugin Royal Elementor Addons and Templates Kit for Elementor, any WordPress installation running version 1.7.1020 or earlier. The plugin is identified in the CPE as royal-elementor-addons:royal_elementor_addons. Administrators should verify whether their site uses these affected versions.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium severity, and the EPSS score below 1% shows an extremely low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would need authenticated Contributor credentials to inject malicious code, making the risk contingent on the availability of such accounts. Prompt remediation is advised to avoid potential XSS attacks.

Generated by OpenCVE AI on April 20, 2026 at 22:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Royal Elementor Addons plugin to version 1.7.1021 or later, where input sanitization is corrected.
  • If an update cannot be performed immediately, remove or deactivate the plugin until a patch becomes available.
  • Restrict Contributor permissions or use role‑management tools to prevent contributors from editing or saving Elementor data, thereby closing the injection vector.

Generated by OpenCVE AI on April 20, 2026 at 22:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16551 The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_elementor_data’ parameter in all versions up to, and including, 1.7.1020 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00039}

 epss

{'score': 0.00037}

Fri, 11 Jul 2025 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Royal-elementor-addons
Royal-elementor-addons royal Elementor Addons
CPEs cpe:2.3:a:royal-elementor-addons:royal_elementor_addons:*:*:*:*:*:wordpress:*:*
Vendors & Products Royal-elementor-addons
Royal-elementor-addons royal Elementor Addons

Mon, 02 Jun 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 31 May 2025 07:45:00 +0000

Type Values Removed Values Added
Description The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_elementor_data’ parameter in all versions up to, and including, 1.7.1020 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Royal Elementor Addons and Templates <= 1.7.1020 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Royal-elementor-addons Royal Elementor Addons
Wordpress Wordpress
Wproyal Royal Elementor Addons And Templates
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:17:59.756Z

Reserved: 2025-04-18T19:11:18.073Z

Link: CVE-2025-3813

cve-icon Vulnrichment

Updated: 2025-06-02T15:17:36.765Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-31T08:15:20.970

Modified: 2025-07-11T18:54:56.213

Link: CVE-2025-3813

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:45:20Z

Weaknesses