CVE-2025-5338 is a stored cross-site scripting (XSS) vulnerability identified in the Royal Elementor Addons and Templates plugin for WordPress, maintained by wproyal. This vulnerability exists in all versions up to and including 1.7.1024 due to improper neutralization of input during web page generation (CWE-79). Specifically, multiple widgets within the plugin fail to adequately sanitize and escape user-supplied attributes before rendering them on web pages. As a result, authenticated attackers with contributor-level privileges or higher can inject arbitrary JavaScript code into pages. These malicious scripts are stored persistently and execute automatically whenever any user accesses the infected page, without requiring further user interaction. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, and requiring privileges (PR:L) but no user interaction. The scope is changed (S:C), meaning the vulnerability affects resources beyond the attacker’s privileges. The impact includes limited confidentiality and integrity loss but no availability impact. No patches or fixes are currently linked, and no known exploits have been observed in the wild as of the publication date (June 26, 2025). This vulnerability is significant because WordPress is a widely used CMS, and Elementor is a popular page builder plugin, making the Royal Elementor Addons plugin a common extension in many websites. The ability for contributors to inject scripts can lead to session hijacking, privilege escalation, defacement, or distribution of malware, impacting site visitors and administrators alike.

The primary impact of CVE-2025-5338 is the compromise of confidentiality and integrity on affected WordPress sites using the Royal Elementor Addons plugin. Attackers with contributor-level access can inject persistent malicious scripts that execute in the context of any user visiting the infected pages. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and potential defacement or malware distribution. Although availability is not directly impacted, the reputational damage and loss of user trust can be significant. Organizations relying on this plugin for their web presence risk exposure to targeted attacks, especially if contributor accounts are compromised or misused. The vulnerability's exploitation requires authentication but no user interaction, increasing the risk in environments where contributor accounts are shared or less strictly controlled. Given the widespread use of WordPress and Elementor-based plugins, the potential attack surface is large, affecting websites ranging from small businesses to large enterprises and government portals.

To mitigate CVE-2025-5338, organizations should first verify if they are using the Royal Elementor Addons and Templates plugin and identify the version in use. Since no official patch links are currently available, immediate mitigation steps include: 1) Restrict contributor-level access strictly to trusted users and review existing contributor accounts for suspicious activity. 2) Implement a Web Application Firewall (WAF) with custom rules to detect and block suspicious input patterns targeting the vulnerable widgets. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 4) Regularly audit and sanitize existing content created via the plugin to remove any injected scripts. 5) Monitor logs and user activity for signs of exploitation attempts. 6) Stay updated with vendor announcements for official patches or updates and apply them promptly once available. 7) Consider temporarily disabling or replacing the plugin with a secure alternative if feasible. These steps go beyond generic advice by focusing on access control, proactive detection, and content hygiene specific to this vulnerability.