The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget's 'instagram_follow_text' setting in all versions up to, and including, 1.7.1056 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
traduzindo…Plataforma
wordpress
Componente
royal-elementor-addons
Corrigido em
1.7.1057
1.7.1057
CVE-2026-5162 describes a Stored Cross-Site Scripting (XSS) vulnerability affecting the Royal Addons for Elementor plugin, a popular extension for WordPress websites. This vulnerability allows authenticated attackers, possessing Contributor-level access or higher, to inject malicious JavaScript code. Successful exploitation can lead to the execution of arbitrary web scripts within the context of a user's browser, potentially compromising sensitive information or website functionality. The vulnerability impacts versions of the plugin up to and including 1.7.1056, with a fix available in version 1.7.1057.
Detecte esta CVE no seu projeto
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Impacto e Cenários de Ataquetraduzindo…
The impact of this XSS vulnerability is significant, particularly for websites heavily reliant on the Royal Addons for Elementor plugin. An attacker with Contributor access or higher can inject malicious JavaScript code through the 'instagramfollowtext' setting of the Instagram Feed widget. When a user visits a page containing this injected script, the script will execute in their browser. This could allow the attacker to steal cookies, redirect users to phishing sites, deface the website, or even gain further unauthorized access to the WordPress backend. The blast radius extends to all users who access pages containing the injected script, making it a widespread risk. While requiring authentication, the relatively low access threshold (Contributor) increases the likelihood of exploitation, especially on sites with a large number of users.
Contexto de Exploraçãotraduzindo…
CVE-2026-5162 was published on April 17, 2026. As of this date, there are no publicly known active campaigns exploiting this specific vulnerability. No entries are present on KEV (Known Exploited Vulnerabilities) or EPSS (Exploit Prediction Scoring System). The CVSS score of 6.4 (Medium) suggests a moderate probability of exploitation, contingent on the availability of a suitable exploit and the prevalence of vulnerable installations. Public Proof-of-Concept (POC) code has not been publicly released, but the vulnerability's nature makes it relatively straightforward to exploit.
Inteligência de Ameaças
Status do Exploit
EPSS
0.04% (percentil 11%)
CISA SSVC
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
- Attack Complexity
- Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
- Privileges Required
- Baixo — qualquer conta de usuário válida é suficiente.
- User Interaction
- Nenhuma — ataque automático e silencioso. A vítima não faz nada.
- Scope
- Alterado — o ataque pode pivotar para além do componente vulnerável.
- Confidentiality
- Baixo — acesso parcial ou indireto a alguns dados.
- Integrity
- Baixo — o atacante pode modificar alguns dados com alcance limitado.
- Availability
- Nenhum — sem impacto na disponibilidade.
Software Afetado
Informações do pacote
- Instalações ativas
- 600KConhecido
- Avaliação do plugin
- 4.8
- Requer WordPress
- 5.0+
- Compatível até
- 7.0
- Requer PHP
- 5.6+
Classificação de Fraqueza (CWE)
Linha do tempo
- Reservado
- Publicada
- Modificada
- EPSS atualizado
Mitigação e Soluções Alternativastraduzindo…
The primary mitigation for CVE-2026-5162 is to immediately upgrade the Royal Addons for Elementor plugin to version 1.7.1057 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the 'instagramfollowtext' setting within the Instagram Feed widget. This can be achieved through custom code or a plugin that limits editing privileges for this specific field. Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting the Instagram Feed widget can provide an additional layer of defense. Monitor website traffic for suspicious activity, particularly requests containing unusual JavaScript code within the 'instagramfollowtext' parameter. After upgrading, verify the fix by attempting to inject a simple JavaScript payload through the Instagram Feed widget and confirming that it does not execute.
Como corrigirtraduzindo…
Update to version 1.7.1057, or a newer patched version
Boletim de Segurança CVE
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
Perguntas frequentestraduzindo…
What is CVE-2026-5162 — Cross-Site Scripting (XSS) in royal-addons-for-elementor?
It's a Stored Cross-Site Scripting (XSS) vulnerability in the Royal Addons for Elementor WordPress plugin, allowing attackers to inject malicious scripts.
Am I affected by CVE-2026-5162 in royal-addons-for-elementor?
If you're using Royal Addons for Elementor version 1.7.1056 or earlier, you are potentially vulnerable. Check your plugin version immediately.
How do I fix CVE-2026-5162 in royal-addons-for-elementor?
Upgrade to Royal Addons for Elementor version 1.7.1057 or later. If immediate upgrade isn't possible, restrict access to the Instagram Feed widget's settings.
Is CVE-2026-5162 being actively exploited?
As of now, there are no publicly known active campaigns exploiting this vulnerability, but the risk remains.
Where can I find the official royal-addons-for-elementor advisory for CVE-2026-5162?
Refer to the official WordPress vulnerability database (NVD) and the Royal Addons for Elementor plugin's website for updates and advisories.
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.