Royal Addons for Elementor – Addons and Templates Kit for Elementor < 1.7.1053 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description
The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 1.7.1053 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<1.7.1053What Changed in the Fix
Changes introduced in v1.7.1053
Source Code
WordPress.org SVNThis exploitation research plan targets **CVE-2026-27421**, a Stored Cross-Site Scripting (XSS) vulnerability in the Royal Addons for Elementor plugin. The vulnerability allows Contributor-level users to inject malicious scripts into pages via unsanitized Mega Menu settings. ### 1. Vulnerability Su…
Show full research plan
This exploitation research plan targets CVE-2026-27421, a Stored Cross-Site Scripting (XSS) vulnerability in the Royal Addons for Elementor plugin. The vulnerability allows Contributor-level users to inject malicious scripts into pages via unsanitized Mega Menu settings.
1. Vulnerability Summary
- Vulnerability: Stored Cross-Site Scripting (XSS)
- Location:
admin/mega-menu.php(specifically the AJAX handlerwpr_save_mega_menu_settings) - Root Cause: The plugin registers AJAX actions for saving Mega Menu configurations but fails to adequately sanitize input parameters before storing them in post meta. Furthermore, these values are later rendered in the admin dashboard or frontend menus without proper output escaping (e.g., using
esc_attr()oresc_html()). - Privilege Level: Authenticated (Contributor+). While Mega Menus are typically an admin feature, the AJAX handlers and the underlying Custom Post Type (
wpr_mega_menu) are often accessible or editable by lower-level users who have access to the Elementor editor.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
wpr_save_mega_menu_settings - Vulnerable Parameter(s): Settings associated with menu items, likely
wpr_mm_custom_widthor other text-based settings stored in thewpr-mega-menu-itemmeta. - Preconditions:
- The plugin "Royal Addons for Elementor" is active.
- At least one WordPress Menu and Menu Item must exist.
- The attacker has a Contributor-level account.
3. Code Flow
- Entry Point: An AJAX POST request is sent to
admin-ajax.phpwith the actionwpr_save_mega_menu_settings. - Hook Registration: In
admin/mega-menu.php, the action is registered:add_action( 'wp_ajax_wpr_save_mega_menu_settings', 'wpr_save_mega_menu_settings' ); - Vulnerable Handler: The (inferred)
wpr_save_mega_menu_settingsfunction retrieves theitem_idand settings from$_POST. - Insecure Storage: The handler uses
update_post_meta($item_id, 'wpr_mm_settings', $settings)(or similar) without sanitizing the values within the$settingsarray. - Sink: When the admin menu or the frontend page renders the menu, the function
render_settings_popup(or its frontend equivalent) retrieves the meta and echoes it.- Example Sink in
admin/mega-menu.php: Therender_settings_popupfunction renders HTML for the settings. If any previously saved setting is echoed back into an attribute or text node without escaping, the XSS triggers.
- Example Sink in
4. Nonce Acquisition Strategy
The AJAX actions in admin/mega-menu.php require a nonce verified against the action string 'wpr-mega-menu-js'.
- Identify the Source: The nonce is enqueued via
enqueue_scriptsinadmin/mega-menu.php. - Localization Key: Based on plugin patterns, the nonce is likely localized in a global JavaScript object. We will search for
WPRMegaMenuorWprConfig. - Acquisition Steps:
- Create a post/page and open the Elementor editor (accessible to Contributors).
- Alternatively, navigate to any admin page where Royal Addons scripts are enqueued.
- Execute the following in the browser console:
browser_eval("window.WPRMegaMenu?.nonce || window.WprConfig?.nonce")
- Bypass Note: If
wpr_save_mega_menu_settingslacks acurrent_user_can('manage_options')check (unlikewpr_create_mega_menu_template), a Contributor can exploit it using this nonce.
5. Exploitation Strategy
- Target Identification: Identify a valid
menu_item_id. This can be done viawp_clior by inspecting the Navigation Menus page. - Craft Payload: Use a payload designed to break out of an HTML attribute:
"><script>alert(document.domain)</script> - HTTP Request (using
http_requesttool):- URL:
https://<target>/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
(Note: Parameter structureaction=wpr_save_mega_menu_settings& nonce=<NONCE>& item_id=<ITEM_ID>& settings[wpr_mm_custom_width]=600"><script>alert(1)</script>& settings[wpr_mm_enabled]=truesettings[]is inferred based on standard Royal Addons AJAX patterns).
- URL:
6. Test Data Setup
- Create Menu:
wp menu create "Test Menu" - Add Item:
wp menu item add-post test-menu 1(where 1 is a valid post ID). - Identify ID: Get the Menu Item ID (this is a post of type
nav_menu_item):wp post list --post_type=nav_menu_item --format=ids - Create Attacker:
wp user create attacker attacker@example.com --role=contributor --user_pass=password
7. Expected Results
- The AJAX response should return a success status (e.g.,
{"success": true}). - The malicious payload should be stored in the database.
- When an administrator visits the Appearance > Menus page, the
render_settings_popupfunction will execute, rendering the injected script.
8. Verification Steps
- Database Check: Verify the payload is stored:
wp post meta get <ITEM_ID> wpr_mm_settings - Trigger Check: Use the
browser_navigatetool to go towp-admin/nav-menus.phpas an administrator and check for thealertor the presence of the<script>tag in the DOM.
9. Alternative Approaches
- Widget Injection: If the Mega Menu CPT
wpr_mega_menuis directly editable by Contributors (as suggested by'capability_type' => 'post'), the attacker can navigate towp-admin/post.php?post=<MEGA_MENU_ID>&action=elementorand use an unescaped widget property (e.g., "Custom ID" field in a Royal Addons widget) to store the XSS. - Search Query XSS: Check if the
wpr_backend_widget_search_query_resultsAJAX action reflects the search term unsanitized, which would lead to Reflected XSS.
Summary
The Royal Addons for Elementor plugin is vulnerable to Stored Cross-Site Scripting via the Mega Menu settings. Authenticated attackers with Contributor-level access or higher can inject malicious scripts into menu item metadata because the plugin fails to sanitize input before storage and fails to escape it during output, leading to execution in the context of an administrator's browser.
Vulnerable Code
// admin/mega-menu.php:254 function wpr_save_mega_menu_settings() { $nonce = $_POST['nonce']; if ( !wp_verify_nonce( $nonce, 'wpr-mega-menu-js' ) || !current_user_can( 'manage_options' ) ) { exit; // Get out of here, the nonce is rotten! } if ( isset($_POST['item_settings']) ) { update_post_meta( $_POST['item_id'], 'wpr-mega-menu-settings', $_POST['item_settings'] ); } wp_send_json_success($_POST['item_settings']); }
Security Fix
@@ -252,20 +260,81 @@ <?php } +/** + * Allowed mega menu setting keys (whitelist for sanitization). + * + * @return array + */ +function wpr_mega_menu_allowed_settings_keys() { + return [ + 'wpr_mm_enable', + 'wpr_mm_position', + 'wpr_mm_width', + 'wpr_mm_custom_width', + 'wpr_mm_mobile_content', + 'wpr_mm_render', + 'wpr_mm_icon_picker', + 'wpr_mm_icon_color', + 'wpr_mm_icon_size', + 'wpr_mm_badge_text', + 'wpr_mm_badge_color', + 'wpr_mm_badge_bg_color', + 'wpr_mm_badge_animation', + ]; +} + +/** + * Sanitize a single mega menu setting value. + * + * @param mixed $value Raw value. + * @param string $key Setting key. + * @return mixed Sanitized value. + */ +function wpr_sanitize_mega_menu_setting( $value, $key ) { + if ( ! is_scalar( $value ) ) { + return ''; + } + $value = (string) $value; + if ( in_array( $key, [ 'wpr_mm_icon_color', 'wpr_mm_badge_color', 'wpr_mm_badge_bg_color' ], true ) ) { + return sanitize_text_field( $value ); + } + if ( $key === 'wpr_mm_icon_size' || $key === 'wpr_mm_custom_width' ) { + return absint( $value ); + } + return sanitize_text_field( $value ); +} + // Save Mega Menu Settings function wpr_save_mega_menu_settings() { - $nonce = $_POST['nonce']; + if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'wpr-mega-menu-js' ) || ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( [ 'message' => 'Invalid request.' ] ); + return; + } - if ( !wp_verify_nonce( $nonce, 'wpr-mega-menu-js' ) || !current_user_can( 'manage_options' ) ) { - exit; // Get out of here, the nonce is rotten! + if ( ! isset( $_POST['item_id'] ) || ! isset( $_POST['item_settings'] ) || ! is_array( $_POST['item_settings'] ) ) { + wp_send_json_error( [ 'message' => 'Missing item_id or item_settings.' ] ); + return; + } + + $item_id = absint( $_POST['item_id'] ); + $item_post = get_post( $item_id ); + if ( ! $item_post || $item_post->post_type !== 'nav_menu_item' ) { + wp_send_json_error( [ 'message' => 'Invalid menu item.' ] ); + return; } - if ( isset($_POST['item_settings']) ) { - update_post_meta( $_POST['item_id'], 'wpr-mega-menu-settings', $_POST['item_settings'] ); + $allowed_keys = wpr_mega_menu_allowed_settings_keys(); + $raw = wp_unslash( $_POST['item_settings'] ); + $sanitized = []; + foreach ( $allowed_keys as $key ) { + if ( array_key_exists( $key, $raw ) ) { + $sanitized[ $key ] = wpr_sanitize_mega_menu_setting( $raw[ $key ], $key ); + } } - wp_send_json_success($_POST['item_settings']); + update_post_meta( $item_id, 'wpr-mega-menu-settings', $sanitized ); + wp_send_json_success( $sanitized ); }
Exploit Outline
1. Authenticate as a Contributor user and retrieve a valid security nonce for the 'wpr-mega-menu-js' action, typically accessible via localized JavaScript objects in the Elementor editor or dashboard. 2. Identify the target Navigation Menu Item ID (nav_menu_item post type). 3. Dispatch a POST request to /wp-admin/admin-ajax.php using the 'wpr_save_mega_menu_settings' action. 4. Provide a payload in the 'item_settings' array, specifically targeting text-based fields like 'wpr_mm_custom_width'. For example: settings[wpr_mm_custom_width]=600"><script>alert(document.domain)</script>. 5. The payload is saved directly into the post meta for the menu item. The script triggers when an administrator views the Appearance > Menus page and the settings popup for the affected menu item is rendered.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.