Introduction
A publicly leaked nonce in the Royal Elementor Addons plugin for WordPress has turned what should be a protected AJAX endpoint into an open door for unauthenticated stored cross site scripting. With over 600,000 active installations, this plugin's exposure to CVE-2026-4803 represents a meaningful risk across a large swath of the WordPress ecosystem.
Royal Elementor Addons, developed by WP Royal, is a widely used extension for the Elementor page builder that provides additional widgets, templates, and form handling capabilities. Its popularity among WordPress site builders makes it a frequent target for security researchers and, consequently, for attackers.
Technical Information
The vulnerability exists in the wpr_update_form_action_meta AJAX handler, located in wpr-actions-status.php. The root cause is a combination of two distinct flaws: a publicly exposed nonce that defeats authentication controls, and insufficient sanitization of user supplied input before it is stored and rendered.
Nonce Exposure and Authentication Bypass
The AJAX handler is registered via the wp_ajax_nopriv hook, meaning WordPress routes requests from unauthenticated users to this endpoint. While the code does perform a nonce check, the nonce value (WprConfig.nonce) is embedded in frontend JavaScript on any page that loads Royal Addons widgets. Any visitor to the site can extract a valid nonce from the page source, rendering the nonce verification meaningless as an access control mechanism.
The endpoint also lacks any capability checks or ownership verification. There is no call to current_user_can() or any equivalent authorization gate. The nonce was the sole barrier, and it was publicly available.
Payload Storage and Rendering
Once an attacker has the nonce, they can call the wpr_update_form_action_meta AJAX action and supply a crafted payload in the status parameter. The vulnerable code path calls update_post_meta with this user controlled input without adequate sanitization or escaping. The malicious data is written directly to the WordPress database as post metadata. When the stored metadata is later rendered on the frontend, it is output without proper escaping, resulting in stored cross site scripting.
Attack Flow
The exploitation chain proceeds as follows:
- The attacker visits any page on the target WordPress site that loads a Royal Elementor Addons widget.
- The attacker extracts the
WprConfig.noncevalue from the page's JavaScript source. - Using this nonce, the attacker sends a crafted POST request to
wp-admin/admin-ajax.phpwith the action set towpr_update_form_action_metaand a malicious JavaScript payload in thestatusparameter. - The server validates the nonce (which succeeds because the nonce is legitimate), performs no capability or ownership checks, and stores the payload via
update_post_meta. - When any user, including administrators, visits the page where this metadata is rendered, the injected script executes in their browser.
The entire chain requires no authentication. The CVSS score of 7.2 reflects the unauthenticated attack vector and the persistent nature of the stored XSS payload.
Patch Mechanics
The patched version (1.7.1057 and later) introduces strict server side validation. The updated code requires a specific submission secret that is generated per post. It verifies this secret using hash_equals before allowing any metadata updates, effectively blocking unauthenticated tampering.
Affected Systems and Versions
The vulnerability affects the Royal Addons for Elementor (also known as Royal Elementor Addons) WordPress plugin in all versions up to and including 1.7.1056. The fix was introduced in version 1.7.1057, with version 1.7.1058 also containing the security fixes.
Any WordPress site running an affected version of the plugin with form modules active is vulnerable, as the nonce is exposed on any page that loads Royal Addons widgets.
Vendor Security History
WP Royal has faced a cluster of security disclosures in a compressed timeframe. The following table summarizes recent vulnerabilities in the Royal Elementor Addons ecosystem:
| CVE Identifier | Vulnerability Type | Affected Versions | CVSS Score | Patched Version |
|---|---|---|---|---|
| CVE-2026-4803 | Unauthenticated Stored XSS | Up to 1.7.1056 | 7.2 | 1.7.1057 |
| CVE-2026-4024 | Missing Authorization | Up to 1.7.1056 | 5.3 | 1.7.1057 |
| CVE-2026-5159 | Authenticated Stored XSS | Up to 1.7.1056 | 6.4 | 1.7.1057 |
| CVE-2026-40720 | Unauthenticated Stored XSS (Pro) | Up to 1.7.1041 | 7.2 | 1.7.1041 |
The recurring themes across these disclosures are authorization bypass and insufficient input sanitization. The vendor has been responsive in releasing patches, but the frequency of similar vulnerability classes suggests systemic issues in the codebase's security posture.
References
- Wordfence Threat Intel: CVE-2026-4803
- WordPress Plugin Trac: wpr-actions-status.php (Line 21)
- WordPress Plugin Trac: wpr-actions-status.php (Line 73)
- WordPress Plugin Trac: wpr-submissions-cpt.php (Line 23)
- WordPress Plugin Trac: plugin.php (Line 613)
- WordPress Plugin Trac: Changeset 3503219
- GitHub Advisory: GHSA-9xvg-5x4x-v2hq
- WordPress Plugin Directory: Royal Elementor Addons
- Wordfence: Missing Authorization in Royal Addons for Elementor (CVE-2026-4024)
- Patchstack: XSS in Royal Elementor Addons
