CVE-2026-5159 Overview
CVE-2026-5159 is a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] in the Royal Addons for Elementor plugin for WordPress. The flaw affects all versions up to and including 1.7.1056. It resides in the Instagram Feed widget's instagram_follow_text setting due to insufficient input sanitization and output escaping. Authenticated attackers with Contributor-level access or above can inject arbitrary web scripts into pages. The injected scripts execute in the browser of any user who accesses the affected page. Exploitation requires that an administrator has previously configured the Instagram Feed widget with a valid Instagram access token.
Critical Impact
Authenticated users with Contributor privileges can inject persistent JavaScript that executes against site visitors and administrators, enabling session theft and account takeover.
Affected Products
- Royal Addons for Elementor (royal-elementor-addons) WordPress plugin
- All versions through 1.7.1056
- Sites with the Instagram Feed widget configured using a valid Instagram access token
Discovery Timeline
- 2026-05-05 - CVE-2026-5159 published to the National Vulnerability Database (NVD)
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-5159
Vulnerability Analysis
The vulnerability is a stored XSS issue tracked under [CWE-79]. The Royal Addons for Elementor plugin exposes an Instagram Feed widget that accepts a configurable follow-button label through the instagram_follow_text setting. The plugin fails to sanitize this input on save and fails to escape it on output when rendering the widget on the front end.
An authenticated user with Contributor-level access or above can place arbitrary HTML and JavaScript inside the instagram_follow_text field. When a visitor or administrator loads the page that embeds the widget, the injected payload executes within the site's origin. This enables session cookie theft, forced administrative actions, redirection, and arbitrary DOM manipulation. Because the payload is persisted in widget settings, every subsequent visitor is affected until the content is removed.
Root Cause
The root cause is missing input validation and output encoding around the instagram_follow_text widget setting in modules/instagram-feed/widgets/wpr-instagram-feed.php. The plugin does not apply WordPress escape functions such as esc_html() or wp_kses() before emitting the value into the rendered markup. Code references published with the advisory point to lines 2181-2193, 5528-5530, and 5623-5625 of the affected file.
Attack Vector
The attack vector is network-based and requires low-privileged authentication. An attacker with a Contributor account edits a post or template that uses the Instagram Feed widget, supplies a JavaScript payload in the instagram_follow_text field, and submits the content. The widget only renders the field once an administrator has configured a valid Instagram access token, so exploitation depends on that pre-existing setup. After the page is published or previewed, the script runs in the browser of any user who loads it.
No verified public proof-of-concept code is available. See the Wordfence Vulnerability Analysis and the WordPress Plugin Code Snippet for technical context.
Detection Methods for CVE-2026-5159
Indicators of Compromise
- Posts, pages, or Elementor templates containing Instagram Feed widget configurations with <script> tags, on* event handlers, or javascript: URIs in the instagram_follow_text field.
- Unexpected outbound requests from visitor browsers to attacker-controlled domains originating from pages that embed the Instagram Feed widget.
- New or modified Contributor-level accounts that have edited posts referencing the Royal Addons Instagram Feed widget.
Detection Strategies
- Audit the WordPress wp_postmeta table for Elementor data containing instagram_follow_text values that include HTML or JavaScript syntax.
- Inspect rendered HTML of public pages for inline event handlers or scripts adjacent to Instagram follow elements emitted by the plugin.
- Review WordPress activity logs for content edits made by Contributor or Author accounts that touch widgets in the Royal Addons module.
Monitoring Recommendations
- Enable a Web Application Firewall (WAF) with rules that flag script injection patterns submitted to the Elementor editor save endpoints.
- Alert on creation of low-privilege user accounts followed by edits to pages using third-party Elementor add-ons.
- Monitor browser-side Content Security Policy (CSP) violation reports for inline script execution on pages using the Instagram Feed widget.
How to Mitigate CVE-2026-5159
Immediate Actions Required
- Update the Royal Addons for Elementor plugin to a version newer than 1.7.1056 once the vendor's patched release is available.
- Restrict Contributor, Author, and Editor accounts to trusted users and review recent edits to any page that uses the Instagram Feed widget.
- Remove or sanitize any existing instagram_follow_text values that contain HTML or JavaScript content.
Patch Information
The vendor published a fix referenced by the WordPress Plugin Changeset Update (changeset 3514368). Site administrators should upgrade through the WordPress plugin manager and verify the installed version exceeds 1.7.1056.
Workarounds
- Temporarily disable the Royal Addons for Elementor plugin until the patched version is deployed.
- Remove the Instagram access token configuration from the Instagram Feed widget to prevent the vulnerable code path from rendering.
- Limit Contributor-level capabilities or revoke editing rights for users who do not require post creation privileges.
- Deploy a strict Content Security Policy that blocks inline script execution on pages rendered by the affected plugin.
# Configuration example: identify the installed plugin version using WP-CLI
wp plugin get royal-elementor-addons --field=version
wp plugin update royal-elementor-addons
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
