The Royal Elementor Addons and Templates plugin for WordPress suffers from a stored cross-site scripting vulnerability (CWE-79) due to improper neutralization of input during web page generation. This affects user-supplied attributes in multiple widgets (Flip Carousel, Flip Box, Post Grid, Taxonomy List) in all versions up to 1.3.971. Authenticated attackers with contributor-level privileges or higher can inject arbitrary JavaScript code that executes in the context of users visiting the compromised pages. The vulnerability has a CVSS 3.1 base score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, and partial confidentiality and integrity impact with no availability impact. There is no vendor advisory or patch information provided, and no known exploitation in the wild has been reported.

An authenticated attacker with contributor-level access or higher can exploit this vulnerability to inject and store malicious scripts in affected widgets. These scripts execute in the browsers of users who view the compromised pages, potentially leading to session hijacking, defacement, or other client-side attacks. The impact includes partial confidentiality and integrity loss but no direct availability impact. Since the vulnerability requires authenticated access, the attack surface is limited to users with contributor or higher privileges.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict contributor-level access to trusted users only and consider disabling or avoiding use of the affected widgets (Flip Carousel, Flip Box, Post Grid, Taxonomy List) in the Royal Addons for Elementor plugin. Monitor for updates from the vendor and apply patches promptly once released.