Royal Elementor Addons

Royal Elementor Addons: Stored XSS up to v1.7.1024
CVE-2025-5338 6.4 - Medium - June 26, 2025

The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.7.1028 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Royal Elementor Addons v1.7.1020 XSS via _elementor_data
CVE-2025-3813 5.4 - Medium - May 31, 2025

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _elementor_data parameter in all versions up to, and including, 1.7.1020 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

CVE-2025-39361 WordPress XSS in Royal Elementor Addons <=1.7.1017
CVE-2025-39361 5.4 - Medium - May 07, 2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WProyal Royal Elementor Addons allows Stored XSS.This issue affects Royal Elementor Addons: from n/a through 1.7.1017.

XSS

WordPress RElementor Addons XSS via Countdown Widget <=1.7.1017
CVE-2024-12120 5.4 - Medium - May 07, 2025

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown widget display_message_text parameter in all versions up to, and including, 1.7.1017 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

SSRF in Royal Elementor Addons <=1.7.1006
CVE-2025-26990 - April 15, 2025

Server-Side Request Forgery (SSRF) vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Server Side Request Forgery.This issue affects Royal Elementor Addons: from n/a through <= 1.7.1006.

SSRF

Stored XSS in Royal Elementor Addons (v<=1.7.1012) via Woo Grid widget
CVE-2025-1455 6.4 - Medium - April 12, 2025

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Woo Grid widget in all versions up to, and including, 1.7.1012 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Stored XSS in Royal Elementor <=1.7.1012 via widgetGrid/CountDown/InstagramFeed
CVE-2025-1456 6.4 - Medium - April 12, 2025

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `widgetGrid`, `widgetCountDown`, and `widgetInstagramFeed` methods in all versions up to, and including, 1.7.1012 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

WP Royal Elementor Addons CSRF v1.7.1007 Unauth
CVE-2025-1441 6.1 - Medium - February 19, 2025

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1007. This is due to missing or incorrect nonce validation on the 'wpr_filter_woo_products' function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Session Riding

CSRF in Royal Elementor Addons <=1.7.1006 (wpr_filter_grid_posts())
CVE-2025-0393 6.1 - Medium - January 14, 2025

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1006. This is due to missing or incorrect nonce validation on the wpr_filter_grid_posts() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Session Riding

WP Royal Elementor Addons 1.3.987: Stored XSS (CVE-2024-56062)
CVE-2024-56062 - December 31, 2024

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Stored XSS.This issue affects Royal Elementor Addons: from n/a through <= 1.3.987.

XSS

WP Royal Elementor Addons: Missing Authorization Vulnerability in Access Control
CVE-2024-56227 - December 31, 2024

Missing Authorization vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Royal Elementor Addons: from n/a through <= 1.7.1001.

AuthZ

Cross-Site Scripting (XSS) Vulnerability in WP Royal Elementor Addons
CVE-2024-56226 - December 31, 2024

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Reflected XSS.This issue affects Royal Elementor Addons: from n/a through <= 1.7.1001.

XSS

Royal Elementor Addons and Templates Plugin Information Exposure Vulnerability
CVE-2024-10798 4.3 - Medium - November 28, 2024

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.1003 via the 'wpr-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created via Elementor that they should not have access to.

Insecure Direct Object Reference / IDOR

Royal Elementor Addons and Templates: Stored XSS Vulnerability in Google Maps Widget
CVE-2024-9059 5.4 - Medium - November 13, 2024

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Google Maps widget in all versions up to, and including, 1.7.1001 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Royal Elementor Addons and Templates: Stored XSS via Countdown Widget
CVE-2024-9668 5.4 - Medium - November 13, 2024

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 1.7.1001 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Royal Elementor Addons and Templates: Stored XSS via Form Builder Widget
CVE-2024-9682 5.4 - Medium - November 13, 2024

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Form Builder widget in all versions up to, and including, 1.7.1001 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

WP Royal Elementor Addons: XEE XML Injection pre-1.3.980
CVE-2024-50442 - October 28, 2024

Improper Restriction of XML External Entity Reference vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows XML Injection.This issue affects Royal Elementor Addons: from n/a through <= 1.3.980.

XXE

Information Exposure in Royal Elementor Addons <=1.3.986 via data_fetch
CVE-2024-7417 4.3 - Medium - October 17, 2024

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.3.986 via the data_fetch. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract data from password protected posts.

Information Disclosure

WordPress Elementor Addons XSS <=1.3.982 via URL param
CVE-2024-8482 6.4 - Medium - October 08, 2024

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the url parameter in all versions up to, and including, 1.3.982 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

WordPress Royal Elementor Addons <=1.3.982 Stored XSS
CVE-2024-44001 - September 18, 2024

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons.This issue affects Royal Elementor Addons: from n/a through <= 1.3.982.

XSS

Stored DOM XSS in Royal Elementor Addons <=1.3.980 via Magazine Grid/Slider Widget
CVE-2024-5818 6.4 - Medium - July 24, 2024

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored DOM-based Cross-Site Scripting via the plugin's Magazine Grid/Slider widget in all versions up to, and including, 1.3.980 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

wp Royal Elementor Addons Stored XSS via custom_upload_mimes (v1.3.976)
CVE-2024-4489 6.4 - Medium - June 07, 2024

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom_upload_mimes function in versions up to, and including, 1.3.976 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Stored XSS in Royal Elementor Addons <=1.3.976 via inline_list
CVE-2024-4488 6.4 - Medium - June 07, 2024

The Royal Elementor Addons and Templates for WordPress is vulnerable to Stored Cross-Site Scripting via the inline_list parameter in versions up to, and including, 1.3.976 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Stored XSS in Elementor Addons 1.3.975 via hotspot widgets
CVE-2024-4342 6.4 - Medium - June 01, 2024

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's image hotspot, image accordion, off canvas, woogrid, and product mini cart widgets in all versions up to, and including, 1.3.975 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Stored XSS in Royal Elementor Addons & Templates 1.3.975 Back-to-Top
CVE-2024-4087 6.4 - Medium - June 01, 2024

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Back to Top widget in all versions up to, and including, 1.3.975 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Royal Elementor Addons Auth Byp Spoof (1.3.93)
CVE-2024-32786 9.8 - Critical - May 17, 2024

Authentication Bypass by Spoofing vulnerability in WP Royal Royal Elementor Addons allows Functionality Bypass.This issue affects Royal Elementor Addons: from n/a through 1.3.93.

Authentication Bypass by Spoofing

WP Plugin Royal Elementor Addons - Stored XSS via Form Builder (1.3.974)
CVE-2024-3887 5.4 - Medium - May 16, 2024

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Form Builder widget in all versions up to, and including, 1.3.974 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Royal Elementor Addons XSS in Widgets Before 1.3.971
CVE-2024-3675 6.4 - Medium - May 02, 2024

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Flip Carousel, Flip Box, Post Grid, and Taxonomy List widgets in all versions up to, and including, 1.3.971 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Royal Elementor Addons & Templates 1.3.94 Limited File Upload CVE-2024-1567
CVE-2024-1567 8.2 - High - May 02, 2024

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to limited file uploads due to missing file type validation in the 'file_validity' function in all versions up to, and including, 1.3.94. This makes it possible for unauthenticated attackers to upload dangerous file types such as .svgz on the affected site's server which may make cross-site scripting or remote code execution possible.

Unrestricted File Upload

WordPress: Royal Elementor Addons & Tpl XSS in Advanced Accordion (1.3.971)
CVE-2024-3889 6.4 - Medium - April 23, 2024

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Advanced Accordion widget in all versions up to, and including, 1.3.971 due to insufficient input sanitization and output escaping on user supplied attributes like 'accordion_title_tag'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Stored XSS in Royal Elementor Addons/Template plugin v1.3.96 via HTML tags
CVE-2024-2799 6.4 - Medium - April 23, 2024

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Grid & Advanced Text widget HTML tags in all versions up to, and including, 1.3.96 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Stored XSS in Royal Elementor Addons 1.3.971 via widget containers
CVE-2024-2798 6.4 - Medium - April 23, 2024

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widget containers in all versions up to, and including, 1.3.971 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

WP Royal Elementor Addons XSS (Stored) Before 1.3.93
CVE-2024-31236 5.4 - Medium - April 07, 2024

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Royal Royal Elementor Addons allows Stored XSS.This issue affects Royal Elementor Addons: from n/a through 1.3.93.

XSS

Royal Elementor Addons and Templates XSS 1.3.91
CVE-2024-1500 5.4 - Medium - March 07, 2024

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Logo Widget in all versions up to, and including, 1.3.91 due to insufficient input sanitization and output escaping on user supplied URLs. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Unattested Post Meta Update in Royal Elementor Addons v1.3.87
CVE-2024-0516 5.3 - Medium - February 29, 2024

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to unauthorized post metadata update due to a missing capability check on the wpr_update_form_action_meta function in all versions up to, and including, 1.3.87. This makes it possible for unauthenticated attackers to update certain metadata.

Session Riding

CVE-2024-0515 WP Plugin 'Royal Elementor Addons & Templates' XSRF in v1.3.87 & earlier
CVE-2024-0515 4.3 - Medium - February 29, 2024

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.87. This is due to missing or incorrect nonce validation on the remove_from_compare function. This makes it possible for unauthenticated attackers to remove items from user compare lists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Session Riding

CSRF in Royal Elementor Addons up to v1.3.87 via add_to_compare
CVE-2024-0514 4.3 - Medium - February 29, 2024

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.87. This is due to missing or incorrect nonce validation on the add_to_compare function. This makes it possible for unauthenticated attackers to add items to user compare lists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Session Riding

CVE-2024-0513 WordPress CSRF in Royal Elementor Addons & Templates <=1.3.87
CVE-2024-0513 4.3 - Medium - February 29, 2024

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.87. This is due to missing or incorrect nonce validation on the remove_from_wishlist function. This makes it possible for unauthenticated attackers to remove items from user wishlists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Session Riding

WordPress Royal Elementor Addons CSRF in add_to_wishlist 1.3.87
CVE-2024-0512 4.3 - Medium - February 29, 2024

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.87. This is due to missing or incorrect nonce validation on the add_to_wishlist function. This makes it possible for unauthenticated attackers to add items to user wishlists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Session Riding

Stored XSS via URL params in Royal Elementor Addons <=1.3.87
CVE-2024-0442 6.4 - Medium - February 29, 2024

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via element URL parameters in all versions up to, and including, 1.3.87 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Royal Elementor Addons <1.3.87 Unauth CSRF via wpr_update_form_action_meta
CVE-2024-0511 4.3 - Medium - February 08, 2024

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.87. This is due to missing or incorrect nonce validation on the wpr_update_form_action_meta function. This makes it possible for unauthenticated attackers to post metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Session Riding

Royal Elementor Addon Disclosure via AJAX before1.3.81 (Unauthenticated Access)
CVE-2023-5922 7.5 - High - January 16, 2024

The Royal Elementor Addons and Templates WordPress plugin before 1.3.81 does not ensure that users accessing posts via an AJAX action (and REST endpoint, currently disabled in the plugin) have the right to do so, allowing unauthenticated users to access arbitrary draft, private and password protected posts/pages content

Royal Elementor Addons <1.3.79: Unvalidated File Upload RCE
CVE-2023-5360 9.8 - Critical - October 31, 2023

The Royal Elementor Addons and Templates WordPress plugin before 1.3.79 does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE.

Unrestricted File Upload

CSRF in P Royal Royal Elementor Addons <=1.3.75
CVE-2022-47175 8.8 - High - October 06, 2023

Cross-Site Request Forgery (CSRF) vulnerability in P Royal Royal Elementor Addons and Templates plugin <= 1.3.75 versions.

Session Riding

Royal Elementor Addons <=1.3.70 Unauth API Key Disclosure
CVE-2023-3709 5.3 - Medium - July 18, 2023

The Royal Elementor Addons plugin for WordPress is vulnerable to unauthenticated API key disclosure in versions up to, and including, 1.3.70 due to the plugin adding the API key to the source code of any page running the MailChimp block. This makes it possible for unauthenticated attackers to obtain a site's MailChimp API key. We recommend resetting any MailChimp API keys if running a vulnerable version of this plugin with the MailChimp block enabled as the API key may have been compromised.

Information Disclosure

XSS in Royal Elementor Addons <=1.3.59 via wpr_ajax_search_link_target
CVE-2022-4710 6.1 - Medium - January 10, 2023

The Royal Elementor Addons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.3.59, due to due to insufficient input sanitization and output escaping of the 'wpr_ajax_search_link_target' parameter in the 'data_fetch' function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This is occurring because 'sanitize_text_field' is insufficient to prevent attribute-based Cross-Site Scripting

XSS

WP Royal Elementor Addons <=1.3.59: Auth AJAX ACL Bypass for Mega Menu
CVE-2022-4711 4.3 - Medium - January 10, 2023

The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_save_mega_menu_settings' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to enable and modify Mega Menu settings for any menu item.

Authorization

Royal Elementor Addons <=1.3.59 insufficient access control wpr_activate_req_theme
CVE-2022-4700 5.4 - Medium - January 10, 2023

The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_activate_required_theme' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to activate the 'royal-elementor-kit' theme. If no such theme is installed doing so can also impact site availability as the site attempts to load a nonexistent theme.

Authorization

Insufficient Access Control in Royal Elementor Addons <=1.3.59 AJAX
CVE-2022-4701 4.3 - Medium - January 10, 2023

The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_activate_required_plugins' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to activate the 'contact-form-7', 'media-library-assistant', or 'woocommerce' plugins if they are installed on the site.

AuthZ

Royal Elementor Addons <=1.3.59 Insuf AC in 'wpr_fix_royal_compatibility' AJAX
CVE-2022-4702 5.4 - Medium - January 10, 2023

The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_fix_royal_compatibility' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to deactivate every plugin on the site unless it is part of an extremely limited hardcoded selection. This also switches the site to the 'royal-elementor-kit' theme, potentially resulting in availability issues.

Authorization