CVE-2026-5162

Name of the Vulnerable Software and Affected Versions Royal Addons for Elementor versions prior to 1.7.1057

Description The Royal Addons for Elementor plugin for WordPress contains a Stored Cross-Site Scripting issue within the Instagram Feed widget. The flaw exists in the instagram follow text setting due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages, which then execute when a user visits the affected page.

Recommendations Update the plugin to a version later than 1.7.1056. As a temporary workaround, restrict access to the instagram follow text setting in the Instagram Feed widget to users with higher administrative privileges.