Description
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title_tag' parameter in all versions up to, and including, 1.7.1058 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-14
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Royal Elementor Addons and Templates plugin for WordPress contains a stored cross‑site scripting flaw in the title_tag parameter. Insufficient sanitization permits attackers who can log in with a Contributor or higher role to embed malicious scripts in widget configurations. When any visitor loads the affected page, the injected script runs in the visitor's browser, enabling theft of session data, defacement, or additional attacks.

Affected Systems

This issue affects the Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin on WordPress sites, specifically all versions up to and including 1.7.1058. Any installation running a vulnerable version is at risk; no other vendors or products are implicated.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.4, indicating moderate severity. EPSS data is not available and the problem is not listed in the CISA KEV catalog. The likely attack vector is an authenticated contributor who injects malicious content via the title_tag parameter. Once authenticated, an attacker can persist scripts that execute for all users who view the compromised page, creating a persistent injection risk. Although exploitation has not been publicly reported, the moderate score and potential for widespread impact make this a serious concern.

Generated by OpenCVE AI on May 14, 2026 at 10:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Royal Elementor Addons and Templates to a version newer than 1.7.1058 to apply the title_tag sanitization fix.
  • Revoke Contributor or higher privileges from users who do not need to edit Elementor widgets; limit editing rights to trusted personnel only.
  • If an immediate update cannot be performed, uninstall the Royal Elementor Addons plugin or disable the widgets that use the title_tag parameter until a patch is available.

Generated by OpenCVE AI on May 14, 2026 at 10:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wproyal
Wproyal royal Addons For Elementor – Addons And Templates Kit For Elementor
Vendors & Products Wordpress
Wordpress wordpress
Wproyal
Wproyal royal Addons For Elementor – Addons And Templates Kit For Elementor
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 09:15:00 +0000

Type Values Removed Values Added
Description The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title_tag' parameter in all versions up to, and including, 1.7.1058 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Royal Addons for Elementor <= 1.7.1058 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title_tag' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wproyal Royal Addons For Elementor – Addons And Templates Kit For Elementor
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-14T10:42:12.258Z

Reserved: 2026-04-17T10:22:14.570Z

Link: CVE-2026-6504

cve-icon Vulnrichment

Updated: 2026-05-14T10:42:07.171Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T09:16:27.680

Modified: 2026-05-14T14:28:41.283

Link: CVE-2026-6504

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T11:00:12Z

Weaknesses