{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5428", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-02T14:30:44.825Z", "datePublished": "2026-04-24T05:29:38.884Z", "dateUpdated": "2026-04-24T18:24:57.867Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-24T05:29:38.884Z"}, "affected": [{"vendor": "wproyal", "product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.7.1056", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image captions in the Image Grid/Slider/Carousel widget in versions up to and including 1.7.1056. This is due to insufficient output escaping in the render_post_thumbnail() function, where wp_kses_post() is used instead of esc_attr() for the alt attribute context. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page with the malicious image displayed in the media grid widget."}], "title": "Royal Addons for Elementor <= 1.7.1056 - Authenticated (Author+) Stored Cross-Site Scripting via Image Caption Field", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ba7b8fe5-aa49-4a70-89c9-1b95a30b1142?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/media-grid/widgets/wpr-media-grid.php#L6755"}, {"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/modules/media-grid/widgets/wpr-media-grid.php#L6755"}, {"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/media-grid/widgets/wpr-media-grid.php#L6752"}, {"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/modules/media-grid/widgets/wpr-media-grid.php#L6752"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3503209%40royal-elementor-addons&new=3503209%40royal-elementor-addons&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2026-04-02T14:46:10.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-23T16:35:20.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T18:24:35.466658Z", "id": "CVE-2026-5428", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T18:24:57.867Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5428", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T18:24:35.466658Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T18:24:49.210Z"}}], "cna": {"title": "Royal Addons for Elementor <= 1.7.1056 - Authenticated (Author+) Stored Cross-Site Scripting via Image Caption Field", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wproyal", "product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.7.1056"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-02T14:46:10.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-23T16:35:20.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ba7b8fe5-aa49-4a70-89c9-1b95a30b1142?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/media-grid/widgets/wpr-media-grid.php#L6755"}, {"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/modules/media-grid/widgets/wpr-media-grid.php#L6755"}, {"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/media-grid/widgets/wpr-media-grid.php#L6752"}, {"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/modules/media-grid/widgets/wpr-media-grid.php#L6752"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3503209%40royal-elementor-addons&new=3503209%40royal-elementor-addons&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image captions in the Image Grid/Slider/Carousel widget in versions up to and including 1.7.1056. This is due to insufficient output escaping in the render_post_thumbnail() function, where wp_kses_post() is used instead of esc_attr() for the alt attribute context. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page with the malicious image displayed in the media grid widget."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-24T05:29:38.884Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5428", "state": "PUBLISHED", "dateUpdated": "2026-04-24T18:24:57.867Z", "dateReserved": "2026-04-02T14:30:44.825Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-24T05:29:38.884Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image captions in the Image Grid/Slider/Carousel widget in versions up to and including 1.7.1056. This is due to insufficient output escaping in the render_post_thumbnail() function, where wp_kses_post() is used instead of esc_attr() for the alt attribute context. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page with the malicious image displayed in the media grid widget."}], "id": "CVE-2026-5428", "lastModified": "2026-04-24T14:38:26.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-24T06:16:08.643", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/modules/media-grid/widgets/wpr-media-grid.php#L6752"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/modules/media-grid/widgets/wpr-media-grid.php#L6755"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/media-grid/widgets/wpr-media-grid.php#L6752"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/media-grid/widgets/wpr-media-grid.php#L6755"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3503209%40royal-elementor-addons&new=3503209%40royal-elementor-addons&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ba7b8fe5-aa49-4a70-89c9-1b95a30b1142?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.7.1056]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor", "source": "cna", "vendor": "wproyal"}, "product": "royal_addons_for_elementor_\u2013_addons_and_templates_kit_for_elementor", "vendor": "wproyal"}], "analysis": {"en": {"generated_at": "2026-04-28T06:57:32.534500+00:00", "value": {"mitigation_remediation": ["Upgrade Royal Elementor Addons to version 1.7.1057 or newer.", "Audit existing image captions in media grid widgets and delete any that contain suspicious or external script references.", "Implement role restrictions to prevent authors from editing image captions if your site does not need rich caption content."], "summary": {"action": "Patch Now", "impact": "Stored XSS in Royal Elementor Addons"}, "threat_synthesis": {"affected_systems": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor is affected in all releases up to and including 1.7.1056. The vulnerability exists in the Image Grid/Slider/Carousel widget.", "description_and_impact": "The Royal Elementor Addons plugin is vulnerable to stored cross-site scripting through image captions in the Image Grid/Slider/Carousel widget. The issue originates from insufficient escaping in the render_post_thumbnail() function, where wp_kses_post() is used for an attribute context instead of esc_attr(). This flaw allows authenticated users with Author role or higher to insert arbitrary JavaScript into image captions, which is then executed each time a page containing the malicious image is viewed by any user.", "risk_and_exploitability": "The CVSS base score of 6.4 indicates moderate severity. EPSS <1% indicates a very low probability of exploitation in the wild, and the issue is not listed in the CISA KEV catalog. The attack can be carried out by any user with Author level or higher, who can modify image captions. Once a malicious caption is stored, any visitor who loads a page with the image will execute the injected script, enabling actions such as cookie theft, session hijacking, or defacement."}}}}, "created": "2026-04-27T22:00:15.587037+00:00", "updated": "2026-04-28T07:00:09.539684+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wproyal", "wproyal$PRODUCT$royal_addons_for_elementor_\u2013_addons_and_templates_kit_for_elementor"]}