CVE-2025-1456
📋 TL;DR
This stored XSS vulnerability in the Royal Elementor Addons WordPress plugin allows authenticated attackers with Contributor-level access or higher to inject malicious scripts into website pages. The scripts execute whenever users visit compromised pages, potentially leading to session hijacking, credential theft, or malware distribution. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Royal Elementor Addons and Templates WordPress plugin
📦 What is this software?
Royal Elementor Addons by Royal Elementor Addons
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, install backdoors, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies, display phishing content, or redirect users to malicious websites.
If Mitigated
With proper input validation and output escaping, the vulnerability would be prevented, and with strict user role management, the attack surface would be significantly reduced.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability details are publicly documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.1013
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3262790/royal-elementor-addons/tags/1.7.1013/assets/js/frontend.js
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Royal Elementor Addons and Templates'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.7.1013 from WordPress repository and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate royal-elementor-addons
Restrict User Roles
allTemporarily remove Contributor and Author roles or restrict their capabilities
Use WordPress role management plugins or custom code to restrict capabilities
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block XSS payloads
- Enable Content Security Policy (CSP) headers to restrict script execution
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is 1.7.1012 or lower, you are vulnerable.Check Version:
wp plugin get royal-elementor-addons --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 1.7.1013 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to widget-related endpoints
- Multiple failed login attempts followed by successful contributor login
- Suspicious JavaScript in page content or database
Network Indicators:
- Unexpected script tags in HTTP responses
- Requests to external domains from page content
SIEM Query:
source="wordpress.log" AND ("widgetGrid" OR "widgetCountDown" OR "widgetInstagramFeed") AND status=200🔗 References
- https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/assets/js/frontend.min.js
- https://plugins.trac.wordpress.org/changeset/3262790/royal-elementor-addons/tags/1.7.1013/assets/js/frontend.js?old=3255849&old_path=royal-elementor-addons%2Ftags%2F1.7.1012%2Fassets%2Fjs%2Ffrontend.js
- https://www.wordfence.com/threat-intel/vulnerabilities/id/68c6e428-b9cf-442f-a896-a8ceb4b9be0e?source=cve
