Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 69 known issues Latest disclosed Apr 23, 2026

Royal Addons for Elementor – Addons and Templates Kit for Elementor Vulnerabilities

Q: How many Royal Addons for Elementor – Addons and Templates Kit for Elementor vulnerabilities have patch guidance?

69 of 69 tracked Royal Addons for Elementor – Addons and Templates Kit for Elementor records include a published patch path.

Review known vulnerability records for the WordPress plugin Royal Addons for Elementor – Addons and Templates Kit for Elementor (`royal-elementor-addons`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-5428, CVE-2026-5162 and CVE-2026-0664, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Apr 24, 2026

Priority CVE Quick Links

Fast paths into Royal Addons for Elementor – Addons and Templates Kit for Elementor CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2023-5360 Critical 1.3.79

CVE-2023-5360 Royal Addons for Elementor – Addons and Templates Kit for Elementor Remote Code Execution

Royal Elementor Addons and Templates <= 1.3.78 - Unauthenticated Arbitrary File Upload

CVE-2025-13067 High 1.7.1050

CVE-2025-13067 Royal Addons for Elementor – Addons and Templates Kit for Elementor Remote Code Execution

Royal Addons for Elementor <= 1.7.1049 - Authenticated (Author+) Arbitrary File Upload via main.php Upload Bypass

CVE-2024-1567 High 1.3.95

CVE-2024-1567 Royal Addons for Elementor – Addons and Templates Kit for Elementor Remote Code Execution

Royal Elementor Addons and Templates <= 1.3.94 - Unauthenticated Limited File Upload

CVE-2022-4102 High 1.3.56

CVE-2022-4102 Royal Addons for Elementor – Addons and Templates Kit for Elementor Cross-Site Request Forgery

Royal Elementor Addons <= 1.3.55 - Cross-Site Request Forgery

CVE-2022-4102 High 1.3.56

CVE-2022-4102 Royal Addons for Elementor – Addons and Templates Kit for Elementor Authorization Bypass

Royal Elementor Addons <=1.3.55 - Authenticated (Subscriber+) Arbitrary Post Deletion

CVE-2022-4103 Medium 1.3.56

CVE-2022-4103 Royal Addons for Elementor – Addons and Templates Kit for Elementor Authorization Bypass

Royal Elementor Addons <=1.3.55 - Missing Authorization to Subscriber+ Arbitrary Post Creation

CVE-2026-5428 Medium 1.7.1057

CVE-2026-5428 Royal Addons for Elementor – Addons and Templates Kit for Elementor Stored Cross-Site Scripting

Royal Addons for Elementor <= 1.7.1056 - Authenticated (Author+) Stored Cross-Site Scripting via Image Caption Field

CVE-2026-5162 Medium 1.7.1057

CVE-2026-5162 Royal Addons for Elementor – Addons and Templates Kit for Elementor Stored Cross-Site Scripting

Royal Addons for Elementor <= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting via Instagram Feed Widget

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Royal Addons for Elementor – Addons and Templates Kit for Elementor so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

69 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

1 critical and 5 high severity findings.

Recent CVEs

CVE-2026-5428, CVE-2026-5162 and CVE-2026-0664

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-5428 Medium Patch path listed

CVE-2026-5428: Royal Addons for Elementor <= 1.7.1056 - Authenticated (Author+) Stored Cross-Site Scripting via Image Caption Field

The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image captions in the Image Grid/Slider/Carousel widget in versions up to and including 1.7.1...

Published

Apr 23, 2026

Patch Status

1.7.1057

Open CVE-2026-5428 Report

CVE-2026-5162 Medium Patch path listed

CVE-2026-5162: Royal Addons for Elementor <= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting via Instagram Feed Widget

The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget's 'instagram_follow_text' setting in all versions up to, and in...

Published

Apr 16, 2026

Patch Status

1.7.1057

Open CVE-2026-5162 Report

CVE-2026-0664 Medium Patch path listed

CVE-2026-0664: Royal Elementor Addons <= 1.7.1049 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API Meta Bypass

The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_text' parameter in all versions up to, and including, 1.7.1049 due to insuffi...

Published

Apr 03, 2026

Patch Status

1.7.1050

Open CVE-2026-0664 Report

Known Vulnerabilities

Reports for Royal Addons for Elementor – Addons and Templates Kit for Elementor

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-5428

CVE-2026-5428: Royal Addons for Elementor <= 1.7.1056 - Authenticated (Author+) Stored Cross-Site Scripting via Image Caption Field

The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image captions in the Image Grid/Slider/Carousel widget in versions up to and including 1.7.1056. This is due to insufficient output escaping in the render_post_thumbnail() function,...

Published

Apr 23, 2026

Patched Release

1.7.1057

Affected Versions

Versions up to 1.7.1056

Next Step

Update to 1.7.1057 or newer if supported.

Open CVE-2026-5428 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-5162

CVE-2026-5162: Royal Addons for Elementor <= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting via Instagram Feed Widget

The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget's 'instagram_follow_text' setting in all versions up to, and including, 1.7.1056 due to insufficient input sanitization and output escaping. This makes i...

Published

Apr 16, 2026

Patched Release

1.7.1057

Affected Versions

Versions up to 1.7.1056

Next Step

Update to 1.7.1057 or newer if supported.

Open CVE-2026-5162 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-0664

CVE-2026-0664: Royal Elementor Addons <= 1.7.1049 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API Meta Bypass

The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_text' parameter in all versions up to, and including, 1.7.1049 due to insufficient input sanitization and output escaping. This makes it possible for authenticated att...

Published

Apr 03, 2026

Patched Release

1.7.1050

Affected Versions

Versions up to 1.7.1049

Next Step

Update to 1.7.1050 or newer if supported.

Open CVE-2026-0664 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-2373

CVE-2026-2373: Royal Addons for Elementor – Addons and Templates Kit for Elementor <= 1.7.1049 - Missing Authorization to Unauthenticated Custom Post Type Contents Exposure

The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.1049 via the get_main_query_args() function due to insufficient restrictions on which posts can be included...

Published

Mar 16, 2026

Patched Release

1.7.1050

Affected Versions

Versions up to 1.7.1049

Next Step

Update to 1.7.1050 or newer if supported.

Open CVE-2026-2373 Report Open CVE Reference

Plugin High Patched: Yes CVE-2025-13067

CVE-2025-13067: Royal Addons for Elementor <= 1.7.1049 - Authenticated (Author+) Arbitrary File Upload via main.php Upload Bypass

The Royal Addons for Elementor plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.7.1049. This is due to insufficient file type validation detecting files named main.php, allowing a file with such a name to bypass sanitization. Thi...

Published

Mar 10, 2026

Patched Release

1.7.1050

Affected Versions

Versions up to 1.7.1049

Next Step

Update to 1.7.1050 or newer if supported.

Open CVE-2025-13067 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-28135

CVE-2026-28135: Royal Addons for Elementor – Addons and Templates Kit for Elementor <= 1.7.1052 - Missing Authorization

The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.7.1052. This makes it possible for unauthenticated attackers t...

Published

Feb 26, 2026

Patched Release

1.7.1053

Affected Versions

Versions up to 1.7.1052

Next Step

Update to 1.7.1053 or newer if supported.

Open CVE-2026-28135 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-11363

CVE-2025-11363: Royal Elementor Addons and Templates <= 1.7.1036 - Missing Authorization to Unauthenticated Media File Upload

The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to unauthorized media file uploads due to a missing capability check on the 'wpr_addons_upload_file' AJAX endpoint in all versions up to, and including, 1.7.1036. This makes...

Published

Nov 24, 2025

Patched Release

1.7.1037

Affected Versions

Versions up to 1.7.1036

Next Step

Update to 1.7.1037 or newer if supported.

Open CVE-2025-11363 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-6251

CVE-2025-6251: Royal Elementor Addons and Templates <= 1.7.1036 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via $item['field_id'] in all versions up to, and including, 1.7.1036 due to insufficient input sanitization and output escaping. This makes it possible for authenticated att...

Published

Nov 18, 2025

Patched Release

1.7.1037

Affected Versions

Versions up to 1.7.1036

Next Step

Update to 1.7.1037 or newer if supported.

Open CVE-2025-6251 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-5338

CVE-2025-5338: Royal Elementor Addons <= 1.7.1028 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Multiple Widgets

The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.7.1028 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for auth...

Published

Jun 25, 2025

Patched Release

1.7.1029

Affected Versions

Versions up to 1.7.1028

Next Step

Update to 1.7.1029 or newer if supported.

Open CVE-2025-5338 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-3813

CVE-2025-3813: Royal Elementor Addons and Templates <= 1.7.1020 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_elementor_data’ parameter in all versions up to, and including, 1.7.1020 due to insufficient input sanitization and output escaping. This makes it possible for aut...

Published

May 30, 2025

Patched Release

1.7.1021

Affected Versions

Versions up to 1.7.1020

Next Step

Update to 1.7.1021 or newer if supported.

Open CVE-2025-3813 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-39361

CVE-2025-39361: Royal Elementor Addons <= 1.7.1017 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.7.1017 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access an...

Published

May 07, 2025

Patched Release

1.7.1018

Affected Versions

Versions up to 1.7.1017

Next Step

Update to 1.7.1018 or newer if supported.

Open CVE-2025-39361 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-12120

CVE-2024-12120: Royal Elementor Addons and Templates <= 1.7.1017 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown widget display_message_text parameter in all versions up to, and including, 1.7.1017 due to insufficient input sanitization and output escaping. This makes...

Published

May 06, 2025

Patched Release

1.7.1018

Affected Versions

Versions up to 1.7.1017

Next Step

Update to 1.7.1018 or newer if supported.

Open CVE-2024-12120 Report Open CVE Reference