Justin Nam

**Name of the Vulnerable Software and Affected Versions** Royal Addons for Elementor versions prior to 1.7.1057 **Description** The Royal Addons for Elementor plugin for WordPress contains a Stored Cross-Site Scripting issue in the Instagram Feed widget. The flaw exists in the `instagram follow text` setting due to insufficient input sanitization and output escaping. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages. These scripts execute when a user visits the affected page. Exploitation requires an administrator to have previously configured the Instagram Feed widget with a valid Instagram access token. **Recommendations** Update the plugin to a version later than 1.7.1056. As a temporary workaround, restrict access to the `instagram follow text` setting in the Instagram Feed widget to users with higher privileges or avoid using this specific setting until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Jeg Kit for Elementor versions prior to 3.1.1 **Description** The Jeg Kit for Elementor plugin for WordPress contains a Stored Cross-Site Scripting issue. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages due to insufficient input sanitization and output escaping. This occurs via the `sg content number prefix` parameter, and the scripts execute whenever a user visits the affected page. **Recommendations** Update to a version later than 3.1.0. As a temporary workaround, restrict access to the `sg content number prefix` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Royal Addons for Elementor versions prior to 1.7.1057 **Description** The Royal Addons for Elementor plugin for WordPress contains a Stored Cross-Site Scripting issue within the Instagram Feed widget. The flaw exists in the `instagram follow text` setting due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages, which then execute when a user visits the affected page. **Recommendations** Update the plugin to a version later than 1.7.1056. As a temporary workaround, restrict access to the `instagram follow text` setting in the Instagram Feed widget to users with higher administrative privileges.