平台
wordpress
组件
royal-elementor-addons
修复版本
1.7.1057
1.7.1057
CVE-2026-5162 describes a Stored Cross-Site Scripting (XSS) vulnerability affecting the Royal Addons for Elementor plugin, a popular extension for WordPress websites. This vulnerability allows authenticated attackers, possessing Contributor-level access or higher, to inject malicious JavaScript code. Successful exploitation can lead to the execution of arbitrary web scripts within the context of a user's browser, potentially compromising sensitive information or website functionality. The vulnerability impacts versions of the plugin up to and including 1.7.1056, with a fix available in version 1.7.1057.
The impact of this XSS vulnerability is significant, particularly for websites heavily reliant on the Royal Addons for Elementor plugin. An attacker with Contributor access or higher can inject malicious JavaScript code through the 'instagramfollowtext' setting of the Instagram Feed widget. When a user visits a page containing this injected script, the script will execute in their browser. This could allow the attacker to steal cookies, redirect users to phishing sites, deface the website, or even gain further unauthorized access to the WordPress backend. The blast radius extends to all users who access pages containing the injected script, making it a widespread risk. While requiring authentication, the relatively low access threshold (Contributor) increases the likelihood of exploitation, especially on sites with a large number of users.
CVE-2026-5162 was published on April 17, 2026. As of this date, there are no publicly known active campaigns exploiting this specific vulnerability. No entries are present on KEV (Known Exploited Vulnerabilities) or EPSS (Exploit Prediction Scoring System). The CVSS score of 6.4 (Medium) suggests a moderate probability of exploitation, contingent on the availability of a suitable exploit and the prevalence of vulnerable installations. Public Proof-of-Concept (POC) code has not been publicly released, but the vulnerability's nature makes it relatively straightforward to exploit.
漏洞利用状态
EPSS
0.04% (11% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-5162 is to immediately upgrade the Royal Addons for Elementor plugin to version 1.7.1057 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the 'instagramfollowtext' setting within the Instagram Feed widget. This can be achieved through custom code or a plugin that limits editing privileges for this specific field. Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting the Instagram Feed widget can provide an additional layer of defense. Monitor website traffic for suspicious activity, particularly requests containing unusual JavaScript code within the 'instagramfollowtext' parameter. After upgrading, verify the fix by attempting to inject a simple JavaScript payload through the Instagram Feed widget and confirming that it does not execute.
Update to version 1.7.1057, or a newer patched version
漏洞分析和关键警报直接发送到您的邮箱。
It's a Stored Cross-Site Scripting (XSS) vulnerability in the Royal Addons for Elementor WordPress plugin, allowing attackers to inject malicious scripts.
If you're using Royal Addons for Elementor version 1.7.1056 or earlier, you are potentially vulnerable. Check your plugin version immediately.
Upgrade to Royal Addons for Elementor version 1.7.1057 or later. If immediate upgrade isn't possible, restrict access to the Instagram Feed widget's settings.
As of now, there are no publicly known active campaigns exploiting this vulnerability, but the risk remains.
Refer to the official WordPress vulnerability database (NVD) and the Royal Addons for Elementor plugin's website for updates and advisories.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。