The Royal Elementor Addons plugin for WordPress suffers from a stored XSS vulnerability due to improper neutralization of input in the 'status' parameter of the wpr_update_form_action_meta AJAX action. The vulnerability exists in all versions up to and including 1.7.1056. The issue is exacerbated by a publicly leaked nonce that permits unauthenticated attackers to invoke the AJAX handler and inject malicious scripts. These scripts execute in the context of users visiting the compromised pages, potentially leading to session hijacking or other client-side attacks. The CVSS 3.1 base score is 7.2, reflecting network attack vector, low attack complexity, no privileges or user interaction required, and impacts on confidentiality and integrity with scope changed.

An unauthenticated attacker can exploit this vulnerability to inject and store malicious scripts in the affected WordPress plugin, which execute when users access the compromised pages. This can lead to partial loss of confidentiality and integrity, such as theft of user credentials or manipulation of page content. There is no direct impact on availability. No known exploits in the wild have been reported at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch link is provided, users should monitor the vendor's communications for updates. Until a patch is available, consider disabling or restricting access to the vulnerable AJAX action if possible, or applying web application firewall (WAF) rules to block exploitation attempts targeting the 'status' parameter. Avoid relying on the leaked nonce for authentication.