CVE-2026-5428: Royal Elementor Addons XSS Vulnerability

CVE-2026-5428 Overview

The Royal Elementor Addons plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the Image Grid/Slider/Carousel widget affecting versions up to and including 1.7.1056. The vulnerability exists due to insufficient output escaping in the render_post_thumbnail() function, where wp_kses_post() is used instead of esc_attr() for the alt attribute context. This allows authenticated attackers with Author-level access or higher to inject malicious scripts that execute when users view pages containing the affected media grid widget.

Critical Impact

Authenticated attackers can inject persistent malicious JavaScript through image captions, enabling session hijacking, credential theft, and administrative account compromise on affected WordPress sites.

Affected Products

• Royal Elementor Addons plugin for WordPress versions up to and including 1.7.1056
• WordPress installations using the vulnerable Image Grid/Slider/Carousel widget
• Sites with Author-level or higher user accounts that could be compromised

Discovery Timeline

• 2026-04-24 - CVE-2026-5428 published to NVD
• 2026-04-24 - Last updated in NVD database

Technical Details for CVE-2026-5428

Vulnerability Analysis

This Stored XSS vulnerability (CWE-79) stems from improper output encoding in the Royal Elementor Addons plugin's media grid functionality. The render_post_thumbnail() function processes image caption data and outputs it within HTML attribute contexts. The developer used wp_kses_post() for sanitization, which is designed to allow a subset of HTML tags for post content but is insufficient for attribute context output.

When user-supplied image caption data is rendered within the alt attribute of image elements, the use of wp_kses_post() instead of esc_attr() creates an exploitable injection point. While wp_kses_post() filters certain HTML tags, it does not properly escape special characters like double quotes that are critical in attribute contexts, allowing attackers to break out of the attribute and inject arbitrary JavaScript.

The vulnerability requires Author-level authentication, limiting the attack surface but still presenting significant risk on multi-author sites or where author accounts could be compromised.

Root Cause

The root cause is the use of an incorrect sanitization function for the output context. The wp_kses_post() function is designed for filtering HTML content in post bodies, not for escaping values placed inside HTML attributes. For attribute contexts, WordPress provides esc_attr() which properly encodes special characters including double quotes, single quotes, and ampersands. By using the wrong function, the plugin fails to neutralize attribute-breaking characters, enabling injection of malicious event handlers or scripts.

Attack Vector

The attack exploits the network-accessible WordPress media grid widget functionality. An authenticated attacker with at least Author-level privileges can upload an image with a specially crafted caption containing JavaScript payloads. When this image is displayed via the Image Grid/Slider/Carousel widget, the malicious script executes in the browser context of any user viewing the page.

The attack flow involves:

1. The attacker authenticates to WordPress with Author or higher privileges
2. An image is uploaded with a malicious caption containing JavaScript embedded in attribute-breaking syntax
3. The image is added to a page using the vulnerable media grid widget
4. When visitors (including administrators) view the page, the injected JavaScript executes
5. The malicious script can steal session cookies, perform actions as the victim, or redirect users to phishing pages

Since authentication is required and no user interaction beyond viewing the page is needed, this represents a stored XSS attack with lower barrier for exploitation compared to unauthenticated variants.

Detection Methods for CVE-2026-5428

Indicators of Compromise

• Unexpected JavaScript code within image caption or alt text fields in the WordPress media library
• Unusual user session activity following visits to pages with media grid widgets
• Reports of unexpected redirects, pop-ups, or behavior on pages containing image galleries
• Suspicious modifications to image metadata by Author-level accounts

Detection Strategies

• Review image caption and alt text fields for suspicious content including script tags, event handlers, or encoded JavaScript payloads
• Monitor WordPress database tables wp_postmeta and wp_posts for caption/alt values containing <script>, onerror=, onload=, or similar injection patterns
• Implement Content Security Policy (CSP) headers to detect and report inline script execution attempts
• Use WordPress security plugins to scan for known XSS patterns in media metadata

Monitoring Recommendations

• Enable comprehensive logging for WordPress media library operations, particularly caption and metadata updates
• Deploy web application firewalls (WAF) with XSS detection rules specific to attribute injection patterns
• Monitor for unusual patterns of image uploads or metadata modifications from Author-level accounts
• Implement browser-side monitoring using CSP report-uri directives to capture violation reports

How to Mitigate CVE-2026-5428

Immediate Actions Required

• Update Royal Elementor Addons plugin to a version newer than 1.7.1056 that contains the security fix
• Audit existing image captions in the media library for potentially malicious content
• Review Author-level and above user accounts for signs of compromise
• Consider temporarily disabling the Image Grid/Slider/Carousel widget until the update is applied

Patch Information

The vulnerability has been addressed in the plugin's codebase. The fix involves replacing wp_kses_post() with esc_attr() for proper attribute context escaping at line 6752 and line 6755 in the wpr-media-grid.php file. The changeset demonstrates the required code changes. Additional details are available in the Wordfence Vulnerability Report.

Workarounds

• Restrict Author-level and above access to trusted users only until the patch is applied
• Implement Content Security Policy headers to mitigate the impact of successful XSS exploitation
• Use a Web Application Firewall (WAF) with XSS filtering rules to block common injection patterns
• Temporarily remove or disable the Image Grid/Slider/Carousel widget from public-facing pages

# Example CSP header configuration for Apache to mitigate XSS impact
# Add to .htaccess or Apache configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';"