Royal Addons for Elementor < 1.7.1057 – Author+ Stored XSS | CVE 2026-5428 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting via image captions in the Image Grid/Slider/Carousel widget due to insufficient output escaping in the render_post_thumbnail() function, where wp_kses_post() is used instead of esc_attr() for the alt attribute context. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page with the malicious image displayed in the media grid widget.

Affects Plugins

royal-elementor-addons

Fixed in 1.7.1057

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ba7b8fe5-aa49-4a70-89c9-1b95a30b1142

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Verified

No

WPVDB ID

3012e5d2-d8bd-4ee1-82fc-02eb40fc0d7f

Timeline

Publicly Published

2026-04-23 (about 20 days ago)

Added

2026-04-24 (about 19 days ago)

Last Updated

2026-04-24 (about 19 days ago)

Other

Published

Title

Published

2025-01-22

Title

The Events Calendar < 6.9.1 - Contributor+ Stored XSS

Published

2024-11-20

Title

Grey Owl Lightbox <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-12-19

Title

FiboSearch – Ajax Search for WooCommerce < 1.32.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via thegem_te_search Shortcode

Published

2026-03-10

Title

Responsive Contact Form Builder & Lead Generation Plugin < 2.0.2 - Unauthenticated Stored Cross-Site Scripting

Published

2024-04-15

Title

BA Book Everything < 1.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode