CVE-2026-5159

Name of the Vulnerable Software and Affected Versions Royal Addons for Elementor versions prior to 1.7.1057

Description The Royal Addons for Elementor plugin for WordPress contains a Stored Cross-Site Scripting issue in the Instagram Feed widget. The flaw exists in the instagram follow text setting due to insufficient input sanitization and output escaping. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages. These scripts execute when a user visits the affected page. Exploitation requires an administrator to have previously configured the Instagram Feed widget with a valid Instagram access token.

Recommendations Update the plugin to a version later than 1.7.1056. As a temporary workaround, restrict access to the instagram follow text setting in the Instagram Feed widget to users with higher privileges or avoid using this specific setting until the update is applied.