CVE-2026-5428

Name of the Vulnerable Software and Affected Versions Royal Elementor Addons versions prior to 1.7.1057

Description The Royal Elementor Addons plugin for WordPress contains a Stored Cross-Site Scripting issue within the Image Grid/Slider/Carousel widget. The flaw exists in the render post thumbnail() function due to insufficient output escaping, specifically where wp kses post() is used instead of esc attr() for the alt attribute context. Authenticated attackers with Author-level access or higher can inject arbitrary web scripts via image captions. These scripts execute when a user views a page containing the malicious image displayed in the media grid widget.

Recommendations Update the plugin to a version later than 1.7.1056. As a temporary workaround, restrict access to the render post thumbnail() function or limit the permissions of users who can edit image captions in the Image Grid/Slider/Carousel widget.