VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 67 known issues Latest disclosed Apr 03, 2026

Royal Addons for Elementor – Addons and Templates Kit for Elementor Vulnerabilities

Review known vulnerability records for the WordPress plugin Royal Addons for Elementor – Addons and Templates Kit for Elementor (`royal-elementor-addons`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-0664, CVE-2026-2373 and CVE-2025-13067, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
67
High or Critical
6
Patch Coverage
100%
Last Updated
Apr 04, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Royal Addons for Elementor – Addons and Templates Kit for Elementor so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
67 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
1 critical and 5 high severity findings.
Recent CVEs
CVE-2026-0664, CVE-2026-2373 and CVE-2025-13067
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Royal Addons for Elementor – Addons and Templates Kit for Elementor

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-0664
Royal Elementor Addons <= 1.7.1049 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API Meta Bypass

The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_text' parameter in all versions up to, and including, 1.7.1049 due to insufficient input sanitization and output escaping. This makes it possible for authenticated att...

Published
Apr 03, 2026
Patched Release
1.7.1050
Affected Versions
Versions up to 1.7.1049
Next Step
Update to 1.7.1050 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2026-2373
Royal Addons for Elementor – Addons and Templates Kit for Elementor <= 1.7.1049 - Missing Authorization to Unauthenticated Custom Post Type Contents Exposure

The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.1049 via the get_main_query_args() function due to insufficient restrictions on which posts can be included...

Published
Mar 16, 2026
Patched Release
1.7.1050
Affected Versions
Versions up to 1.7.1049
Next Step
Update to 1.7.1050 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-13067
Royal Addons for Elementor <= 1.7.1049 - Authenticated (Author+) Arbitrary File Upload via main.php Upload Bypass

The Royal Addons for Elementor plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.7.1049. This is due to insufficient file type validation detecting files named main.php, allowing a file with such a name to bypass sanitization. Thi...

Published
Mar 10, 2026
Patched Release
1.7.1050
Affected Versions
Versions up to 1.7.1049
Next Step
Update to 1.7.1050 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: No CVE-2026-28135
Royal Addons for Elementor – Addons and Templates Kit for Elementor <= 1.7.1049 - Missing Authorization

The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.7.1049. This makes it possible for unauthenticated attackers t...

Published
Feb 26, 2026
Patched Release
Not published
Affected Versions
Versions up to 1.7.1049
Next Step
Open the full report for remediation notes and references.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-11363
Royal Elementor Addons and Templates <= 1.7.1036 - Missing Authorization to Unauthenticated Media File Upload

The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to unauthorized media file uploads due to a missing capability check on the 'wpr_addons_upload_file' AJAX endpoint in all versions up to, and including, 1.7.1036. This makes...

Published
Nov 24, 2025
Patched Release
1.7.1037
Affected Versions
Versions up to 1.7.1036
Next Step
Update to 1.7.1037 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-6251
Royal Elementor Addons and Templates <= 1.7.1036 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via $item['field_id'] in all versions up to, and including, 1.7.1036 due to insufficient input sanitization and output escaping. This makes it possible for authenticated att...

Published
Nov 18, 2025
Patched Release
1.7.1037
Affected Versions
Versions up to 1.7.1036
Next Step
Update to 1.7.1037 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-5338
Royal Elementor Addons <= 1.7.1028 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Multiple Widgets

The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.7.1028 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for auth...

Published
Jun 25, 2025
Patched Release
1.7.1029
Affected Versions
Versions up to 1.7.1028
Next Step
Update to 1.7.1029 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-3813
Royal Elementor Addons and Templates <= 1.7.1020 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_elementor_data’ parameter in all versions up to, and including, 1.7.1020 due to insufficient input sanitization and output escaping. This makes it possible for aut...

Published
May 30, 2025
Patched Release
1.7.1021
Affected Versions
Versions up to 1.7.1020
Next Step
Update to 1.7.1021 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-39361
Royal Elementor Addons <= 1.7.1017 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.7.1017 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access an...

Published
May 07, 2025
Patched Release
1.7.1018
Affected Versions
Versions up to 1.7.1017
Next Step
Update to 1.7.1018 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-12120
Royal Elementor Addons and Templates <= 1.7.1017 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown widget display_message_text parameter in all versions up to, and including, 1.7.1017 due to insufficient input sanitization and output escaping. This makes...

Published
May 06, 2025
Patched Release
1.7.1018
Affected Versions
Versions up to 1.7.1017
Next Step
Update to 1.7.1018 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-39543
Royal Elementor Addons <= 1.3.977 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.977 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and...

Published
Apr 16, 2025
Patched Release
1.3.979
Affected Versions
Versions up to 1.3.977
Next Step
Update to 1.3.979 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-26990
Royal Elementor Addons <= 1.7.1006 - Authenticated (Admin+) Server Side Request Forgery

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.7.1006. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitr...

Published
Apr 11, 2025
Patched Release
1.7.1007
Affected Versions
Versions up to 1.7.1006
Next Step
Update to 1.7.1007 or newer if supported.
Open Full Report Open CVE Reference