{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/royal-elementor/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-4803"}],"_cs_exploited":false,"_cs_products":["Royal Elementor Addons plugin \u003c= 1.7.1056"],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","stored-xss","cve-2026-4803","royal-elementor"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Royal Elementor Addons plugin for WordPress, in versions up to and including 1.7.1056, contains a stored Cross-Site Scripting (XSS) vulnerability. This vulnerability stems from a combination of insufficient input sanitization and output escaping of the \u0026lsquo;status\u0026rsquo; parameter within the wpr_update_form_action_meta AJAX action. Critically, the plugin also includes a publicly leaked nonce, granting unauthenticated access to the AJAX handler. An unauthenticated attacker can exploit this flaw to inject malicious JavaScript code into WordPress pages. When a user visits a page containing the injected script, the script executes within the user\u0026rsquo;s browser, potentially leading to session hijacking, defacement, or other malicious actions. This vulnerability poses a significant risk to WordPress sites utilizing the Royal Elementor Addons plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using a vulnerable version (\u0026lt;= 1.7.1056) of the Royal Elementor Addons plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the WordPress AJAX endpoint (wp-admin/admin-ajax.php).\u003c/li\u003e\n\u003cli\u003eThe POST request includes the action parameter set to \u0026lsquo;wpr_update_form_action_meta\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker includes the publicly leaked nonce value to bypass authentication checks for the AJAX action.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious JavaScript code within the \u0026lsquo;status\u0026rsquo; parameter of the POST request. The code is not properly sanitized by the plugin.\u003c/li\u003e\n\u003cli\u003eThe server processes the request and stores the malicious script in the WordPress database.\u003c/li\u003e\n\u003cli\u003eA legitimate user visits a page where the injected content is displayed.\u003c/li\u003e\n\u003cli\u003eThe malicious JavaScript code is executed within the user\u0026rsquo;s browser, enabling the attacker to perform actions such as stealing cookies, redirecting the user, or defacing the website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to inject arbitrary web scripts into WordPress pages. This can lead to a variety of malicious outcomes, including session hijacking, website defacement, and the execution of arbitrary code within the context of a user\u0026rsquo;s browser. Given the widespread use of WordPress and the Royal Elementor Addons plugin, a successful mass exploitation could impact numerous websites and their users, leading to data breaches and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Royal Elementor Addons plugin to the latest version, which includes a fix for CVE-2026-4803.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to filter requests to wp-admin/admin-ajax.php containing suspicious JavaScript code in the \u0026lsquo;status\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect exploitation attempts by monitoring for POST requests to the AJAX endpoint with malicious script content.\u003c/li\u003e\n\u003cli\u003eReview and audit existing WordPress installations for signs of compromise, such as unexpected script injections in pages or database entries.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T04:16:18Z","date_published":"2026-05-05T04:16:18Z","id":"/briefs/2026-05-royal-elementor-xss/","summary":"The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'status' parameter in the wpr_update_form_action_meta AJAX action, allowing unauthenticated attackers to inject arbitrary web scripts into pages.","title":"Royal Elementor Addons Plugin Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-royal-elementor-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Royal-Elementor","version":"https://jsonfeed.org/version/1.1"}