Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 77 known issues Latest disclosed May 13, 2026

Royal Addons for Elementor – Addons and Templates Kit for Elementor Vulnerabilities

Q: How many Royal Addons for Elementor – Addons and Templates Kit for Elementor vulnerabilities have patch guidance?

77 of 77 tracked Royal Addons for Elementor – Addons and Templates Kit for Elementor records include a published patch path.

Review known vulnerability records for the WordPress plugin Royal Addons for Elementor – Addons and Templates Kit for Elementor (`royal-elementor-addons`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-6504, CVE-2026-27421 and CVE-2026-25436, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

May 14, 2026

Related Security Guides

Use these guides while reviewing Royal Addons for Elementor – Addons and Templates Kit for Elementor fixes

Pair this plugin vulnerability hub with practical WordPress hardening, scanner, and patch workflow guidance.

Hardening

WordPress hardening checklist for exposed plugins

Review patch cadence, privileged access, XML-RPC exposure, backups, and monitoring controls.

Plugin Security

WordPress plugin security basics for patch decisions

Use ownership, update testing, least privilege, and removal criteria to reduce plugin risk.

Scanning

WordPress vulnerability scanner buyer's guide

Compare scanner coverage for plugin CVEs, version detection, alert noise, and remediation workflow.

Patch Decision Workflow

How to prioritize Royal Addons for Elementor – Addons and Templates Kit for Elementor remediation

Use the hub as a decision layer before opening individual records: confirm whether the issue has a CVE, whether a fixed version exists, and whether the affected range overlaps production installs.

Search-Ready Records

1. Match the Package

Confirm the installed WordPress plugin slug is royal-elementor-addons before acting on any CVE from this cluster.

2. Sort by Severity

Start with 8 high or critical records, then review medium and unrated findings with public references.

3. Check Patch Evidence

77 records include a patch path; verify compatibility before closing the finding.

4. Monitor Gaps

0 records still lack a listed fixed release, so keep this hub in the review queue.

High-Signal Remediation Targets

CVE-2023-5360 Critical

Remote Code Execution remediation for Royal Addons for Elementor – Addons and Templates Kit for Elementor

Affected range: Versions up to 1.3.78. Fixed version: 1.3.79.

CVE-2025-13067 High

Remote Code Execution remediation for Royal Addons for Elementor – Addons and Templates Kit for Elementor

Affected range: Versions up to 1.7.1049. Fixed version: 1.7.1050.

CVE-2024-1567 High

Remote Code Execution remediation for Royal Addons for Elementor – Addons and Templates Kit for Elementor

Affected range: Versions up to 1.3.94. Fixed version: 1.3.95.

CVE-2022-4102 High

Cross-Site Request Forgery remediation for Royal Addons for Elementor – Addons and Templates Kit for Elementor

Affected range: Versions up to 1.3.55. Fixed version: 1.3.56.

Priority CVE Quick Links

Fast paths into Royal Addons for Elementor – Addons and Templates Kit for Elementor CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

Tracked CVE	Issue Type	Affected Versions	Fixed Version	CVSS
CVE-2023-5360 Royal Elementor Addons and Templates <= 1.3.78 - Unauthenticated Arbitrary File Uplo...	Remote Code Execution	Versions up to 1.3.78	1.3.79	CVSS 9.8
CVE-2025-13067 Royal Addons for Elementor <= 1.7.1049 - Authenticated (Author+) Arbitrary File Uplo...	Remote Code Execution	Versions up to 1.7.1049	1.7.1050	CVSS 8.8
CVE-2024-1567 Royal Elementor Addons and Templates <= 1.3.94 - Unauthenticated Limited File Upload	Remote Code Execution	Versions up to 1.3.94	1.3.95	CVSS 8.2
CVE-2022-4102 Royal Elementor Addons <= 1.3.55 - Cross-Site Request Forgery	Cross-Site Request Forgery	Versions up to 1.3.55	1.3.56	CVSS 8.1
CVE-2022-4102 Royal Elementor Addons <=1.3.55 - Authenticated (Subscriber+) Arbitrary Post Deletio...	Authorization Bypass	Versions up to 1.3.55	1.3.56	CVSS 8.1
CVE-2026-4803 Royal Addons for Elementor <= 1.7.1056 - Unauthenticated Stored Cross-Site Scripting...	Stored Cross-Site Scripting	Versions up to 1.7.1056	1.7.1057	CVSS 7.2
CVE-2026-6229 Royal Addons for Elementor <= 1.7.1057 - Authenticated (Contributor+) Server-Side Re...	Server-Side Request Forgery	Versions up to 1.7.1057	1.7.1058	CVSS 7.2
CVE-2022-4103 Royal Elementor Addons <=1.3.55 - Missing Authorization to Subscriber+ Arbitrary Pos...	Authorization Bypass	Versions up to 1.3.55	1.3.56	CVSS 6.5

CVE-2023-5360 Critical 1.3.79

CVE-2023-5360 Royal Addons for Elementor – Addons and Templates Kit for Elementor Remote Code Execution

Royal Elementor Addons and Templates <= 1.3.78 - Unauthenticated Arbitrary File Upload

CVE-2025-13067 High 1.7.1050

CVE-2025-13067 Royal Addons for Elementor – Addons and Templates Kit for Elementor Remote Code Execution

Royal Addons for Elementor <= 1.7.1049 - Authenticated (Author+) Arbitrary File Upload via main.php Upload Bypass

CVE-2024-1567 High 1.3.95

CVE-2024-1567 Royal Addons for Elementor – Addons and Templates Kit for Elementor Remote Code Execution

Royal Elementor Addons and Templates <= 1.3.94 - Unauthenticated Limited File Upload

CVE-2022-4102 High 1.3.56

CVE-2022-4102 Royal Addons for Elementor – Addons and Templates Kit for Elementor Cross-Site Request Forgery

Royal Elementor Addons <= 1.3.55 - Cross-Site Request Forgery

CVE-2022-4102 High 1.3.56

CVE-2022-4102 Royal Addons for Elementor – Addons and Templates Kit for Elementor Authorization Bypass

Royal Elementor Addons <=1.3.55 - Authenticated (Subscriber+) Arbitrary Post Deletion

CVE-2026-4803 High 1.7.1057

CVE-2026-4803 Royal Addons for Elementor – Addons and Templates Kit for Elementor Stored Cross-Site Scripting

Royal Addons for Elementor <= 1.7.1056 - Unauthenticated Stored Cross-Site Scripting via 'status' Parameter in wpr_update_form_action_meta

CVE-2026-6229 High 1.7.1058

CVE-2026-6229 Royal Addons for Elementor – Addons and Templates Kit for Elementor Server-Side Request Forgery

Royal Addons for Elementor <= 1.7.1057 - Authenticated (Contributor+) Server-Side Request Forgery via CSV URL Parameter

CVE-2022-4103 Medium 1.3.56

CVE-2022-4103 Royal Addons for Elementor – Addons and Templates Kit for Elementor Authorization Bypass

Royal Elementor Addons <=1.3.55 - Missing Authorization to Subscriber+ Arbitrary Post Creation

Coverage Snapshot

What this page helps you verify fast

This hub clusters tracked records for Royal Addons for Elementor – Addons and Templates Kit for Elementor so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

77 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

1 critical and 7 high severity findings.

Recent CVEs

CVE-2026-6504, CVE-2026-27421 and CVE-2026-25436

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-6504 Medium Patch path listed

CVE-2026-6504: Royal Addons for Elementor <= 1.7.1058 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title_tag' Parameter

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title_tag' parameter in all versions up to, and including, 1.7.1058 due to...

Published

May 13, 2026

Patch Status

1.7.1059

Review CVE-2026-6504 affected versions

CVE-2026-27421 Medium Patch path listed

CVE-2026-27421: Royal Addons for Elementor – Addons and Templates Kit for Elementor < 1.7.1053 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 1.7.1053 due to insufficient input...

Published

May 07, 2026

Patch Status

1.7.1053

Review CVE-2026-27421 affected versions

CVE-2026-25436 Medium Patch path listed

CVE-2026-25436: Royal Addons for Elementor – Addons and Templates Kit for Elementor < 1.7.1053 - Missing Authorization

The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions...

Published

May 07, 2026

Patch Status

1.7.1053

Review CVE-2026-25436 affected versions

Known Vulnerabilities

Reports for Royal Addons for Elementor – Addons and Templates Kit for Elementor

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-6504

CVE-2026-6504: Royal Addons for Elementor <= 1.7.1058 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title_tag' Parameter

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title_tag' parameter in all versions up to, and including, 1.7.1058 due to insufficient input sanitization and output escaping. This makes it possible for authentic...

Published

May 13, 2026

Patched Release

1.7.1059

Affected Versions

Versions up to 1.7.1058

Next Step

Update to 1.7.1059 or newer if supported.

Review CVE-2026-6504 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-27421

CVE-2026-27421: Royal Addons for Elementor – Addons and Templates Kit for Elementor < 1.7.1053 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 1.7.1053 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wit...

Published

May 07, 2026

Patched Release

1.7.1053

Affected Versions

Versions before 1.7.1053

Next Step

Update to 1.7.1053 or newer if supported.

Review CVE-2026-27421 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-25436

CVE-2026-25436: Royal Addons for Elementor – Addons and Templates Kit for Elementor < 1.7.1053 - Missing Authorization

The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to 1.7.1053. This makes it possible for unauthenticated attackers to perform an unautho...

Published

May 07, 2026

Patched Release

1.7.1053

Affected Versions

Versions before 1.7.1053

Next Step

Update to 1.7.1053 or newer if supported.

Review CVE-2026-25436 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-5159

CVE-2026-5159: Royal Addons for Elementor <= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'Follow Button Text' Parameter

The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget's 'instagram_follow_text' setting in all versions up to, and including, 1.7.1056 due to insufficient input sanitization and output escaping. This makes i...

Published

May 04, 2026

Patched Release

1.7.1057

Affected Versions

Versions up to 1.7.1056

Next Step

Update to 1.7.1057 or newer if supported.

Review CVE-2026-5159 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2026-4803

CVE-2026-4803: Royal Addons for Elementor <= 1.7.1056 - Unauthenticated Stored Cross-Site Scripting via 'status' Parameter in wpr_update_form_action_meta

The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'status' parameter in the wpr_update_form_action_meta AJAX action in all versions up to, and including, 1.7.1056. This is due to insufficient input sanitization and output escapin...

Published

May 04, 2026

Patched Release

1.7.1057

Affected Versions

Versions up to 1.7.1056

Next Step

Update to 1.7.1057 or newer if supported.

Review CVE-2026-4803 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-4024

CVE-2026-4024: Royal Addons for Elementor <= 1.7.1056 - Missing Authorization to Unauthenticated Form Action Meta Modification

The Royal Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `wpr_update_form_action_meta` AJAX action in all versions up to, and including, 1.7.1056. The handler is registered on both `wp_ajax` an...

Published

May 01, 2026

Patched Release

1.7.1057

Affected Versions

Versions up to 1.7.1056

Next Step

Update to 1.7.1057 or newer if supported.

Review CVE-2026-4024 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2026-6229

CVE-2026-6229: Royal Addons for Elementor <= 1.7.1057 - Authenticated (Contributor+) Server-Side Request Forgery via CSV URL Parameter

The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.7.1057. This is due to insufficient validation of user-supplied URLs in the render_csv_data() function, which can be bypassed by including 'docs.google...

Published

May 01, 2026

Patched Release

1.7.1058

Affected Versions

Versions up to 1.7.1057

Next Step

Update to 1.7.1058 or newer if supported.

Review CVE-2026-6229 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-5428

CVE-2026-5428: Royal Addons for Elementor <= 1.7.1056 - Authenticated (Author+) Stored Cross-Site Scripting via Image Caption Field

The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image captions in the Image Grid/Slider/Carousel widget in versions up to and including 1.7.1056. This is due to insufficient output escaping in the render_post_thumbnail() function,...

Published

Apr 23, 2026

Patched Release

1.7.1057

Affected Versions

Versions up to 1.7.1056

Next Step

Update to 1.7.1057 or newer if supported.

Review CVE-2026-5428 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-5162

CVE-2026-5162: Royal Addons for Elementor <= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting via Instagram Feed Widget

Published

Apr 16, 2026

Patched Release

1.7.1057

Affected Versions

Versions up to 1.7.1056

Next Step

Update to 1.7.1057 or newer if supported.

Review CVE-2026-5162 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-0664

CVE-2026-0664: Royal Elementor Addons <= 1.7.1049 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API Meta Bypass

The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_text' parameter in all versions up to, and including, 1.7.1049 due to insufficient input sanitization and output escaping. This makes it possible for authenticated att...

Published

Apr 03, 2026

Patched Release

1.7.1050

Affected Versions

Versions up to 1.7.1049

Next Step

Update to 1.7.1050 or newer if supported.

Review CVE-2026-0664 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-40763

CVE-2026-40763: Royal Elementor Addons <= 1.7.1056 - Missing Authorization

The Royal Elementor Addons plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.7.1056. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Published

Mar 31, 2026

Patched Release

1.7.1057

Affected Versions

Versions up to 1.7.1056

Next Step

Update to 1.7.1057 or newer if supported.

Review CVE-2026-40763 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-2373

CVE-2026-2373: Royal Addons for Elementor – Addons and Templates Kit for Elementor <= 1.7.1049 - Missing Authorization to Unauthenticated Custom Post Type Contents Exposure

The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.1049 via the get_main_query_args() function due to insufficient restrictions on which posts can be included...

Published

Mar 16, 2026

Patched Release

1.7.1050

Affected Versions

Versions up to 1.7.1049

Next Step

Update to 1.7.1050 or newer if supported.

Review CVE-2026-2373 fixed version details Open CVE Reference