← back to popular plugins
wordfence / plugin · royal-elementor-addons

Royal Addons for Elementor – Addons and Templates Kit for Elementor

royal-elementor-addons
total installs
600,000
total vulns
25
critical
0
high
3
medium
22
low
0
latest vuln
patched
25
unpatched
0
avg time to patch
vulnerabilities (25)
Royal Addons for Elementor <= 1.7.1058 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title_tag' Parameter
medium ✓ patched
cve id CVE-2026-6504 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published May 13, 2026
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title_tag' parameter in all versions up to, and including, 1.7.1058 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Royal Addons for Elementor – Addons and Templates Kit for Elementor < 1.7.1053 - Missing Authorization
medium ✓ patched
cve id CVE-2026-25436 ↗
cvss score 5.3
cwe CWE-862: Missing Authorization
published May 7, 2026
The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to 1.7.1053. This makes it possible for unauthenticated attackers to perform an unauthorized action.
Royal Addons for Elementor – Addons and Templates Kit for Elementor < 1.7.1053 - Authenticated (Contributor+) Stored Cross-Site Scripting
medium ✓ patched
cve id CVE-2026-27421 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published May 7, 2026
The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 1.7.1053 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Royal Addons for Elementor <= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'Follow Button Text' Parameter
medium ✓ patched
cve id CVE-2026-5159 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published May 4, 2026
The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget's 'instagram_follow_text' setting in all versions up to, and including, 1.7.1056 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note that exploitation requires that an administrator has previously configured the Instagram Feed widget with a valid Instagram access token on the site.
Royal Addons for Elementor <= 1.7.1056 - Unauthenticated Stored Cross-Site Scripting via 'status' Parameter in wpr_update_form_action_meta
high ✓ patched
cve id CVE-2026-4803 ↗
cvss score 7.2
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published May 4, 2026
The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'status' parameter in the wpr_update_form_action_meta AJAX action in all versions up to, and including, 1.7.1056. This is due to insufficient input sanitization and output escaping, combined with a publicly leaked nonce that allows unauthenticated access to the AJAX handler. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Royal Addons for Elementor <= 1.7.1056 - Missing Authorization to Unauthenticated Form Action Meta Modification
medium ✓ patched
cve id CVE-2026-4024 ↗
cvss score 5.3
cwe CWE-862: Missing Authorization
published May 1, 2026
The Royal Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `wpr_update_form_action_meta` AJAX action in all versions up to, and including, 1.7.1056. The handler is registered on both `wp_ajax` and `wp_ajax_nopriv` hooks, making it accessible to unauthenticated users. Although a nonce is verified, the nonce (`wpr-addons-js`) is publicly exposed in frontend JavaScript via `WprConfig.nonce` on any page that loads Royal Addons widgets, rendering the protection ineffective. The endpoint also lacks any capability or ownership checks and directly calls `update_post_meta()` with user-controlled input on a whitelisted set of form action meta keys. This makes it possible for unauthenticated attackers to modify form action configuration metadata (email, submissions, Mailchimp, and webhook settings) on any post, potentially leading to webhook/email action tampering and data exfiltration via modified webhook URLs.
Royal Addons for Elementor <= 1.7.1057 - Authenticated (Contributor+) Server-Side Request Forgery via CSV URL Parameter
high ✓ patched
cve id CVE-2026-6229 ↗
cvss score 7.2
cwe CWE-918: Server-Side Request Forgery (SSRF)
published May 1, 2026
The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.7.1057. This is due to insufficient validation of user-supplied URLs in the render_csv_data() function, which can be bypassed by including 'docs.google.com/spreadsheets' in a query parameter, and the subsequent use of these URLs in fopen() calls without blocking internal or private network addresses. This makes it possible for authenticated attackers, with Contributor-level access and above, to make requests to arbitrary URLs and retrieve sensitive information from internal services.
Royal Addons for Elementor <= 1.7.1056 - Authenticated (Author+) Stored Cross-Site Scripting via Image Caption Field
medium ✓ patched
cve id CVE-2026-5428 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Apr 23, 2026
The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image captions in the Image Grid/Slider/Carousel widget in versions up to and including 1.7.1056. This is due to insufficient output escaping in the render_post_thumbnail() function, where wp_kses_post() is used instead of esc_attr() for the alt attribute context. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page with the malicious image displayed in the media grid widget.
Royal Addons for Elementor <= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting via Instagram Feed Widget
medium ✓ patched
cve id CVE-2026-5162 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Apr 16, 2026
The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget's 'instagram_follow_text' setting in all versions up to, and including, 1.7.1056 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Royal Elementor Addons <= 1.7.1049 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API Meta Bypass
medium ✓ patched
cve id CVE-2026-0664 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Apr 3, 2026
The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_text' parameter in all versions up to, and including, 1.7.1049 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Royal Elementor Addons <= 1.7.1056 - Missing Authorization
medium ✓ patched
cve id CVE-2026-40763 ↗
cvss score 5.3
cwe CWE-862: Missing Authorization
published Mar 31, 2026
The Royal Elementor Addons plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.7.1056. This makes it possible for unauthenticated attackers to perform an unauthorized action.
Royal Addons for Elementor – Addons and Templates Kit for Elementor <= 1.7.1049 - Missing Authorization to Unauthenticated Custom Post Type Contents Exposure
medium ✓ patched
cve id CVE-2026-2373 ↗
cvss score 5.3
cwe CWE-862: Missing Authorization
published Mar 16, 2026
The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.1049 via the get_main_query_args() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract contents of non-public custom post types, such as Contact Form 7 submissions or WooCommerce coupons.
Royal Addons for Elementor <= 1.7.1049 - Authenticated (Author+) Arbitrary File Upload via main.php Upload Bypass
high ✓ patched
cve id CVE-2025-13067 ↗
cvss score 8.8
cwe CWE-434: Unrestricted Upload of File with Dangerous Type
published Mar 10, 2026
The Royal Addons for Elementor plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.7.1049. This is due to insufficient file type validation detecting files named main.php, allowing a file with such a name to bypass sanitization. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Royal Addons for Elementor – Addons and Templates Kit for Elementor <= 1.7.1052 - Missing Authorization
medium ✓ patched
cve id CVE-2026-28135 ↗
cvss score 5.3
cwe CWE-862: Missing Authorization
published Feb 26, 2026
The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.7.1052. This makes it possible for unauthenticated attackers to perform an unauthorized action.
Royal Elementor Addons and Templates <= 1.7.1036 - Missing Authorization to Unauthenticated Media File Upload
medium ✓ patched
cve id CVE-2025-11363 ↗
cvss score 5.3
cwe CWE-862: Missing Authorization
published Nov 24, 2025
The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to unauthorized media file uploads due to a missing capability check on the 'wpr_addons_upload_file' AJAX endpoint in all versions up to, and including, 1.7.1036. This makes it possible for unauthenticated attackers to upload media files.
Royal Elementor Addons and Templates <= 1.7.1036 - Authenticated (Contributor+) Stored Cross-Site Scripting
medium ✓ patched
cve id CVE-2025-6251 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Nov 18, 2025
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via $item['field_id'] in all versions up to, and including, 1.7.1036 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Royal Elementor Addons <= 1.7.1028 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Multiple Widgets
medium ✓ patched
cve id CVE-2025-5338 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Jun 25, 2025
The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.7.1028 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Royal Elementor Addons and Templates <= 1.7.1020 - Authenticated (Contributor+) Stored Cross-Site Scripting
medium ✓ patched
cve id CVE-2025-3813 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published May 30, 2025
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_elementor_data’ parameter in all versions up to, and including, 1.7.1020 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Royal Elementor Addons <= 1.7.1017 - Authenticated (Contributor+) Stored Cross-Site Scripting
medium ✓ patched
cve id CVE-2025-39361 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published May 7, 2025
The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.7.1017 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Royal Elementor Addons <= 1.3.977 - Authenticated (Contributor+) Stored Cross-Site Scripting
medium ✓ patched
cve id CVE-2025-39543 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Apr 16, 2025
The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.977 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Royal Elementor Addons <= 1.7.1006 - Authenticated (Admin+) Server Side Request Forgery
medium ✓ patched
cve id CVE-2025-26990 ↗
cvss score 5.5
cwe CWE-918: Server-Side Request Forgery (SSRF)
published Apr 11, 2025
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.7.1006. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
Royal Elementor Addons and Templates <= 1.7.1012 - Authenticated (Contributor+) Stored Cross-Site Scripting
medium ✓ patched
cve id CVE-2025-1455 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Apr 11, 2025
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Woo Grid widget in all versions up to, and including, 1.7.1012 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Royal Elementor Addons and Templates <= 1.7.1012 - Authenticated DOM-Based (Contributor+) Stored Cross-Site Scripting
medium ✓ patched
cve id CVE-2025-1456 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Apr 11, 2025
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `widgetGrid`, `widgetCountDown`, and `widgetInstagramFeed` methods in all versions up to, and including, 1.7.1012 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Royal Elementor Addons and Templates <= 1.7.1007 - Cross-Site Request Forgery to Reflected Cross-Site Scripting
medium ✓ patched
cve id CVE-2025-1441 ↗
cvss score 6.1
cwe CWE-352: Cross-Site Request Forgery (CSRF)
published Feb 18, 2025
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1007. This is due to missing or incorrect nonce validation on the 'wpr_filter_woo_products' function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Royal Elementor Addons and Templates <= 1.7.1006 - Cross-Site Request Forgery to Reflected Cross-Site Scripting
medium ✓ patched
cve id CVE-2025-0393 ↗
cvss score 6.1
cwe CWE-352: Cross-Site Request Forgery (CSRF)
published Jan 13, 2025
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1006. This is due to missing or incorrect nonce validation on the wpr_filter_grid_posts() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.