CVE-2025-5338 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Royal Elementor Addons and Templates plugin for WordPress, developed by wproyal. This vulnerability affects all versions up to and including 1.7.1024. The root cause is insufficient input sanitization and output escaping of user-supplied attributes in multiple widgets provided by the plugin. An authenticated attacker with contributor-level privileges or higher can exploit this flaw by injecting arbitrary malicious scripts into pages generated by the plugin. These scripts are then stored persistently and executed in the browsers of any users who visit the compromised pages, potentially leading to session hijacking, privilege escalation, or other malicious activities. The vulnerability has a CVSS v3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based, requiring low attack complexity and privileges at the contributor level, but no user interaction is needed for the malicious script to execute once the page is accessed. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable plugin, potentially impacting the broader WordPress site environment. No known exploits in the wild have been reported yet, and no official patches have been linked as of the publication date (June 26, 2025).

For European organizations using WordPress sites with the Royal Elementor Addons plugin, this vulnerability poses a significant risk to website integrity and user trust. Exploitation could lead to unauthorized script execution, enabling attackers to steal session cookies, deface websites, redirect users to malicious sites, or perform actions on behalf of legitimate users. This can result in data breaches, loss of customer confidence, and potential regulatory penalties under GDPR if personal data is compromised. The requirement for contributor-level access limits the attack surface to insiders or compromised accounts, but given the collaborative nature of many organizational websites, this is a realistic threat. The cross-site scripting vulnerability can also be leveraged as a stepping stone for further attacks within the network, especially if administrative users access the injected pages. The medium severity score reflects a moderate but tangible risk, particularly for organizations with high web traffic or sensitive data handled via their WordPress sites.

European organizations should immediately audit their WordPress installations to identify the presence of the Royal Elementor Addons plugin and verify its version. Until an official patch is released, organizations should restrict contributor-level access strictly to trusted users and review user roles and permissions to minimize exposure. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injection patterns in HTTP requests can provide temporary protection. Additionally, employing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting the sources from which scripts can be executed. Regularly monitoring website content for unauthorized changes and conducting security scans focused on XSS vulnerabilities is advisable. Once a patch becomes available, prompt application is critical. Organizations should also educate content contributors about safe input practices and the risks of injecting untrusted content.