The Royal Elementor Addons plugin for WordPress suffers from a stored cross-site scripting vulnerability (CWE-79) due to improper neutralization of input during web page generation. Specifically, the render_post_thumbnail() function uses wp_kses_post() for escaping the alt attribute of images instead of the appropriate esc_attr(), allowing injection of arbitrary scripts in image captions. This vulnerability affects versions up to 1.7.1056 and requires the attacker to have at least Author-level privileges. When a page containing the malicious image is accessed, the injected script executes in the context of the user’s browser, potentially leading to session hijacking or other script-based attacks. The CVSS 3.1 base score is 6.4, indicating medium severity. There is no vendor advisory or patch currently available, and no known exploits in the wild have been reported.

An authenticated attacker with Author-level access or higher can inject and store malicious JavaScript code via image captions in the affected widget. This code executes in the browsers of users who view the compromised page, potentially leading to unauthorized actions such as session hijacking or data theft. The vulnerability does not affect availability but impacts confidentiality and integrity. The medium CVSS score reflects the requirement for authenticated access and the limited scope of impact.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Author-level access to trusted users only and consider disabling or avoiding use of the Image Grid/Slider/Carousel widget in the Royal Elementor Addons plugin. Monitor for updates from the vendor and apply patches promptly once available.