What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WProyal Royal Elementor Addons allows Stored XSS.
This issue affects Royal Elementor Addons: from n/a before 1.7.1053.
Explanation of Vulnerability in Simple Terms
02Summary
Royal Elementor Addons versions before 1.7.1053 contain a cross-site scripting vulnerability. An authenticated user with low privileges can inject malicious scripts that execute in other users' browsers, potentially stealing session data or performing actions on their behalf. The vulnerability requires user interaction—the victim must visit a crafted page or click a malicious link.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that run in other users' browsers and steal their session data or perform actions as them.
Potential impact on your site
04Site Impact
Users' accounts and data are at risk if they interact with attacker-controlled content; session hijacking is possible.
Conditions required to exploit
05Prerequisites
Attacker needs a low-privilege account on the site; victim must visit a crafted page or click a link.
Key dates
06Disclosure timeline
May 7, 2026
CVE published
May 7, 2026
Record updated