Skip to main content

Royal Elementor Addons CVE-2024-12120

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-05-07 security@wordfence.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 28, 2026 - 18:40 vuln.today
Patch released
Mar 28, 2026 - 18:40 nvd
Patch available
CVE Published
May 07, 2025 - 08:15 nvd
MEDIUM 5.4

DescriptionCVE.org

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown widget display_message_text parameter in all versions up to, and including, 1.7.1017 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown widget display_message_text parameter in all versions up to, and. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown widget display_message_text parameter in all versions up to, and including, 1.7.1017 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Affected products include: Royal-Elementor-Addons Royal Elementor Addons.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2023-5360 CRITICAL POC
9.8 Oct 31

The Royal Elementor Addons and Templates WordPress plugin before 1.3.79 does not properly validate uploaded files, which

CVE-2024-32786 CRITICAL
9.8 May 17

Authentication Bypass by Spoofing vulnerability in WP Royal Royal Elementor Addons allows Functionality Bypass.3.93. Rat

CVE-2024-1567 HIGH
8.2 May 02

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to limited file uploads due to missing file

CVE-2022-4711 MEDIUM POC
4.3 Jan 10

The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_save_mega_menu_

CVE-2022-4710 MEDIUM
6.1 Jan 10

The Royal Elementor Addons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and i

CVE-2024-31236 MEDIUM
6.5 Apr 07

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Royal Royal Ele

CVE-2026-27421 MEDIUM
6.5 May 07

Stored cross-site scripting (XSS) in WProyal Royal Elementor Addons before version 1.7.1053 allows authenticated users w

CVE-2024-4342 MEDIUM
6.4 Jun 01

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugi

CVE-2024-4087 MEDIUM
6.4 Jun 01

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugi

CVE-2024-4489 MEDIUM
6.4 Jun 07

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘cust

CVE-2024-4488 MEDIUM
6.4 Jun 07

The Royal Elementor Addons and Templates for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘inline_list

CVE-2024-3675 MEDIUM
6.4 May 02

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugi

Share

CVE-2024-12120 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy