WordPress Plugin Vulnerabilities

Royal Elementor Addons < 1.7.1057 - Unauthenticated Stored Cross-Site Scripting via 'status' Parameter

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the `status` parameter in the `wpr_update_form_action_meta` AJAX action due to insufficient input sanitization and output escaping, combined with a publicly leaked nonce that allows unauthenticated access to the handler. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
royal-elementor-addons
Fixed in 1.7.1057

References

CVE
CVE-2026-4803
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c91a14d3-bc41-4490-888c-486ad2994095

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.2 (high)

Miscellaneous

Original Researcher
andrea bocchetti
Verified
No
WPVDB ID
e0d33a53-aa0b-4d18-8b02-3c85c40023a9

Timeline

Publicly Published
2026-05-04 (about 9 days ago)
Added
2026-05-04 (about 9 days ago)
Last Updated
2026-05-04 (about 9 days ago)

Other

Published
Title
Published
2025-12-12
Title
Custom Post Type UI < 1.18.2 - Admin+ Stored XSS via 'label' Import Parameter
Published
2026-04-21
Title
WPMK Block <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Published
2022-05-31
Title
Spectra < 1.25.6 - Reflected Cross-Site Scripting
Published
2023-01-20
Title
Conversational Forms for ChatBot < 1.17 - Admin+ Stored XSS
Published
2025-12-05
Title
Extra Post Images <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes