CVE-2026-4803

CVE-2026-4803 is a stored cross-site scripting (XSS) vulnerability in the Royal Elementor Addons plugin for WordPress, affecting all versions up to and including 1.7.1056. The flaw exists in the wpr_update_form_action_meta AJAX action, specifically via the 'status' parameter, due to insufficient input sanitization and output escaping. Additionally, a publicly leaked nonce enables unauthenticated access to the AJAX handler, allowing attackers to inject arbitrary web scripts into pages. The vulnerability is rated with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and is associated with CWE-79 (Cross-site Scripting).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By sending crafted requests to the vulnerable AJAX endpoint, they can inject malicious scripts into form-related pages or submissions. These scripts execute in the context of any user, including administrators, who subsequently accesses the affected page, potentially leading to session hijacking, data theft, or further compromise of the WordPress site.

References provided include source code locations in the plugin's trac repository, such as wpr-actions-status.php (lines 21 and 73), wpr-submissions-cpt.php (line 23), and plugin.php (line 613), highlighting the vulnerable code paths. A specific changeset (3503219) in wpr-actions-status.php indicates a code modification, likely implementing a patch to address the issue. Security practitioners should update to a version beyond 1.7.1056 and review sites using this plugin for injected content.