cleantalk
Vulnerabilities and Security Researches

Royal Elementor Addons and Templates, CVE-2026-5159

CVE, Research URL

CVE-2026-5159

Home page URL

Security reports for Royal Elementor Addons and Templates

Application

Royal Elementor Addons and Templates

Published on
May 05, 2026
Research Description
The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget's 'instagram_follow_text' setting in all versions up to, and including, 1.7.1056 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note that exploitation requires that an administrator has previously configured the Instagram Feed widget with a valid Instagram access token on the site.
Affected versions
max 1.7.1057.
Status
vulnerable
Previous vulnerability researches
Conditional Fields for Contact Form 7 (CVE-2023-47838) , Jun 10, 2024
Conditional Fields for Contact Form 7 (CVE-2026-25863) , May 06, 2026
Conditional Fields for Contact Form 7 (0bb038577e135241efdec5ee2901e7ead90280e7) , Jun 07, 2024
Conditional Fields for Contact Form 7 (CVE-2024-50412) , Oct 27, 2024
Conditional Fields for Contact Form 7 (CVE-2024-5804) , Jul 20, 2024
New vulnerability
Royal Elementor Addons and Templates (CVE-2026-4803) , May 06, 2026
Royal Elementor Addons and Templates (CVE-2026-5159) , May 06, 2026
NEX-Forms – Ultimate Form Builder – Contact forms and much more (CVE-2026-5063) , May 06, 2026
Loco Translate (CVE-2026-1921) , May 06, 2026
Conditional Fields for Contact Form 7 (CVE-2026-25863) , May 06, 2026