CVE-2026-0664
Stored XSS in Royal Addons for Elementor Plugin Allows Script Injection
Publication date: 2026-04-04
Last updated on: 2026-04-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| royal_addons | royal_elementor_addons | to 1.7.1049 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability CVE-2026-0664 affects the Royal Addons for Elementor WordPress plugin, specifically in its Form Builder widget. It is a Stored Cross-Site Scripting (XSS) vulnerability caused by insufficient input sanitization and output escaping of the 'button_text' parameter in versions up to and including 1.7.1049.
This flaw allows authenticated attackers with contributor level access or higher to inject arbitrary web scripts into pages. These scripts execute whenever any user accesses the injected page, potentially compromising the site or user data.
How can this vulnerability impact me? :
This vulnerability can lead to attackers injecting malicious scripts that execute in the context of the affected website. This can result in theft of user credentials, session hijacking, defacement, or distribution of malware.
Since the attack requires contributor level access or above, it means that an attacker who has some level of authenticated access can escalate their impact by injecting scripts that affect all users visiting the compromised pages.
The CVSS score of 6.4 (medium severity) reflects the potential for confidentiality and integrity loss without impacting availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves stored Cross-Site Scripting (XSS) via the 'button_text' parameter in the Royal Addons for Elementor plugin. Detection involves identifying if your WordPress installation uses this plugin version (up to 1.7.1049) and checking for injected scripts in pages where the 'button_text' parameter is used.
You can detect potential exploitation by searching for suspicious script tags or unusual JavaScript code in the content of pages or posts that use the plugin's button_text parameter.
- Use WP-CLI to search for suspicious script tags in the database: wp search-replace '<script' '' --dry-run
- Manually inspect pages or posts that include buttons created by the Royal Addons plugin for unexpected JavaScript.
- Monitor HTTP requests and responses for injected scripts using tools like Burp Suite or browser developer tools.
- Check plugin version via command line or WordPress admin to confirm if it is vulnerable (version β€ 1.7.1049).
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Royal Addons for Elementor plugin to a version later than 1.7.1049, where the vulnerability is fixed.
If immediate updating is not possible, restrict contributor-level and above users from adding or editing content that uses the vulnerable 'button_text' parameter.
Implement Web Application Firewall (WAF) rules to detect and block attempts to inject scripts via the 'button_text' parameter.
Review and sanitize all user inputs in forms and plugin settings, especially those that accept dynamic content or shortcodes.
Regularly audit your WordPress site for suspicious content and monitor logs for unusual activity related to form submissions or content changes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Royal Addons for Elementor plugin allows authenticated attackers with contributor level access to inject arbitrary web scripts via insufficient input sanitization and output escaping. This can lead to unauthorized script execution when users access the injected pages.
Such stored cross-site scripting (XSS) vulnerabilities can potentially lead to unauthorized access to user data, session hijacking, or data manipulation, which may impact the confidentiality and integrity of personal or sensitive information.
Consequently, this vulnerability could affect compliance with data protection regulations like GDPR or HIPAA, which require adequate safeguards to protect personal and sensitive data from unauthorized access or disclosure.
However, the provided information does not explicitly detail the direct compliance impact or any specific regulatory breaches caused by this vulnerability.