PT-2026-36966 · WordPress · Royal Elementor Addons

Andrea Bocchetti

·

Published

2026-05-05

·

Updated

2026-05-05

·

CVE-2026-4803

CVSS v3.1

7.2

High

VectorAV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Royal Elementor Addons versions prior to 1.7.1057
Description The Royal Elementor Addons plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs due to insufficient input sanitization and output escaping in the wpr update form action meta AJAX action via the status parameter. Additionally, a publicly leaked nonce allows unauthenticated access to the AJAX handler, enabling unauthenticated attackers to inject arbitrary web scripts into pages that execute when accessed by users.
Recommendations Update the plugin to a version later than 1.7.1056.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-4803

Affected Products

Royal Elementor Addons