Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WProyal Royal Elementor Addons allows Stored XSS.

This issue affects Royal Elementor Addons: from n/a before 1.7.1053.
Published: 2026-05-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation, a stored cross‑site scripting vulnerability, is present in the Royal Elementor Addons plugin. The flaw allows attackers to save malicious scripts in plugin fields that are rendered on the site, leading to script execution in the browsers of anyone who views the affected content. Although it does not provide direct remote code execution, the injected scripts can steal session cookies, deface content, or redirect users, compromising confidentiality and integrity of user sessions.

Affected Systems

The vulnerability affects the WProyal Royal Elementor Addons plugin for WordPress, specifically all releases older than 1.7.1053. Any WordPress installation that has this plugin version installed is susceptible until the plugin is updated.

Risk and Exploitability

The CVSS base score of 6.5 indicates moderate severity. No EPSS score is available, suggesting a low or unknown probability of active exploitation at this time, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker would need to add or modify content in the plugin fields, which typically requires authenticated access; however, the CVE data does not explicitly state the required privileges. Once malicious scripts are stored, they are executed in the browsers of any visitors to the affected pages, providing persistent risk until the plugin is upgraded.

Generated by OpenCVE AI on May 7, 2026 at 09:52 UTC.

Remediation

Vendor Solution

Update the WordPress Royal Elementor Addons Plugin to the latest available version (at least 1.7.1053).

OpenCVE Recommended Actions

  • Upgrade the Royal Elementor Addons plugin to version 1.7.1053 or later.
  • Verify that the WordPress installation is limited to a single, trusted administrator account, and review any pending content changes for malicious scripts prior to upgrading.
  • After applying the patch, perform a security scan of the site’s content to confirm no stored cross‑site scripting payloads remain.

Generated by OpenCVE AI on May 7, 2026 at 09:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp Royal
Wp Royal royal Elementor Addons
Vendors & Products Wordpress
Wordpress wordpress
Wp Royal
Wp Royal royal Elementor Addons

Thu, 07 May 2026 08:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WProyal Royal Elementor Addons allows Stored XSS. This issue affects Royal Elementor Addons: from n/a before 1.7.1053.
Title WordPress Royal Elementor Addons plugin < 1.7.1053 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
Wp Royal Royal Elementor Addons
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-07T13:03:38.524Z

Reserved: 2026-02-19T09:52:28.127Z

Link: CVE-2026-27421

cve-icon Vulnrichment

Updated: 2026-05-07T13:03:34.472Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T09:16:27.480

Modified: 2026-05-07T14:00:48.567

Link: CVE-2026-27421

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T12:15:28Z

Weaknesses