The Royal Elementor Addons plugin is affected by a stored cross‑site scripting flaw in the wpr_update_form_action_meta AJAX handler. Because the 'status' parameter is not properly sanitized or escaped, and the associated nonce is publicly leaked, attackers can submit arbitrary HTML or JavaScript that is persisted in the site database. When a visitor opens a page that includes the stored value, the injected script runs in the victim’s browser, enabling cookie theft, session hijacking, defacement, or the execution of further malicious payloads. The weakness is identified as CWE‑79.

The vulnerability exists in the Royal Addons for Elementor – Addons and Templates Kit for Elementor from the vendor wproyal. All releases up to and including version 1.7.1056 are affected. Users should verify the installed version and upgrade if necessary.

The CVSS score is 7.2, reflecting a high severity. The EPSS score is not available, but the fact that the nonce is publicly available removes authentication barriers, making exploitation straightforward for an unauthenticated attacker with internet access to the site. Although the flaw is not listed in the CISA KEV catalog, the stored nature of the payload means that once an attacker injects a malicious script, it will impact every user who visits the affected page. The attack vector is purely web‑based; no privileged access is required beyond the ability to trigger the AJAX call.