{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1456", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-18T19:47:03.889Z", "datePublished": "2025-04-12T08:22:40.950Z", "dateUpdated": "2026-04-08T16:58:31.165Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:31.165Z"}, "affected": [{"vendor": "wproyal", "product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.7.1012", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `widgetGrid`, `widgetCountDown`, and `widgetInstagramFeed` methods in all versions up to, and including, 1.7.1012 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Royal Elementor Addons and Templates <= 1.7.1012 - Authenticated DOM-Based (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/68c6e428-b9cf-442f-a896-a8ceb4b9be0e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/assets/js/frontend.min.js"}, {"url": "https://plugins.trac.wordpress.org/changeset/3262790/royal-elementor-addons/tags/1.7.1013/assets/js/frontend.js?old=3255849&old_path=royal-elementor-addons%2Ftags%2F1.7.1012%2Fassets%2Fjs%2Ffrontend.js"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "timeline": [{"time": "2025-04-11T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-13T02:24:04.590981Z", "id": "CVE-2025-1456", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-14T18:05:48.768Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1456", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-13T02:24:04.590981Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-13T02:30:30.701Z"}}], "cna": {"title": "Royal Elementor Addons and Templates <= 1.7.1012 - Authenticated DOM-Based (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wproyal", "product": "Royal Elementor Addons and Templates", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.7.1012"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-11T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/68c6e428-b9cf-442f-a896-a8ceb4b9be0e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/assets/js/frontend.min.js"}, {"url": "https://plugins.trac.wordpress.org/changeset/3262790/royal-elementor-addons/tags/1.7.1013/assets/js/frontend.js?old=3255849&old_path=royal-elementor-addons%2Ftags%2F1.7.1012%2Fassets%2Fjs%2Ffrontend.js"}], "descriptions": [{"lang": "en", "value": "The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `widgetGrid`, `widgetCountDown`, and `widgetInstagramFeed` methods in all versions up to, and including, 1.7.1012 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-04-12T08:22:40.950Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1456", "state": "PUBLISHED", "dateUpdated": "2025-04-14T18:05:48.768Z", "dateReserved": "2025-02-18T19:47:03.889Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-12T08:22:40.950Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:royal-elementor-addons:royal_elementor_addons:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "67DBB3F7-49AE-4D7C-B084-3AF4B283A649", "versionEndExcluding": "1.7.1013", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `widgetGrid`, `widgetCountDown`, and `widgetInstagramFeed` methods in all versions up to, and including, 1.7.1012 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Royal Elementor Addons and Templates para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s de los m\u00e9todos `widgetGrid`, `widgetCountDown` y `widgetInstagramFeed` en todas las versiones hasta la 1.7.1012 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficiente. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en las p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-1456", "lastModified": "2025-07-08T18:21:58.743", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-12T09:15:16.600", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/assets/js/frontend.min.js"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3262790/royal-elementor-addons/tags/1.7.1013/assets/js/frontend.js?old=3255849&old_path=royal-elementor-addons%2Ftags%2F1.7.1012%2Fassets%2Fjs%2Ffrontend.js"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/68c6e428-b9cf-442f-a896-a8ceb4b9be0e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T21:19:32.686883+00:00", "value": {"mitigation_remediation": ["Upgrade Royal Elementor Addons and Templates to version 1.7.1013 or later to eliminate the XSS vectors.", "If an upgrade is not immediately possible, remove the plugin or disable the widgetGrid, widgetCountDown, and widgetInstagramFeed widgets to prevent further code injection.", "Conduct a thorough review and clean of any existing injected scripts from widget content and audit the site for other potential XSS vulnerabilities."], "summary": {"action": "Update Plugin", "impact": "Stored Cross\u2011Site Scripting enabling arbitrary script execution"}, "threat_synthesis": {"affected_systems": "WordPress installations that include the Royal Elementor Addons and Templates plugin version 1.7.1012 or earlier. These versions expose the vulnerable widget rendering functions and do not provide the required input sanitisation or output escaping.", "description_and_impact": "The Royal Elementor Addons and Templates plugin for WordPress contains a stored cross\u2011site scripting flaw in the widgetGrid, widgetCountDown, and widgetInstagramFeed methods. Authenticated contributors or higher can inject malicious JavaScript that is subsequently rendered in any page that displays the affected widget. The injected code will run under the context of every visitor to the page, potentially allowing attackers to steal session cookies, deface content, or launch phishing attacks.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.4, indicating moderate severity, and an EPSS score of < 1\u202f%, suggesting that active exploitation is currently unlikely. It is not listed in the CISA KEV catalog. The attack vector requires the attacker to be authenticated with Contributor\u2011level access or higher; the injected payload will then affect any visitor who views a page containing the compromised widget."}}}}, "created": "2026-04-21T21:30:45.740952+00:00", "updated": "2026-04-21T21:30:45.740972+00:00", "vendors": []}