CVE-2026-6504 Overview
CVE-2026-6504 is a stored Cross-Site Scripting (XSS) vulnerability in the Royal Elementor Addons and Templates plugin for WordPress. The flaw affects all versions up to and including 1.7.1058. It originates from insufficient input sanitization and output escaping on the title_tag parameter used by the plugin's Posts Timeline and Video Playlist widgets. Authenticated users with Contributor-level access or above can inject arbitrary web scripts that execute in the browser of any visitor who loads an affected page. The issue is tracked under CWE-79.
Critical Impact
Authenticated contributors can persist JavaScript payloads that execute against site visitors and administrators, enabling session theft, account takeover, and content manipulation.
Affected Products
- Royal Elementor Addons and Templates plugin for WordPress, versions through 1.7.1058
- WordPress sites using the wpr-posts-timeline widget
- WordPress sites using the wpr-video-playlist widget
Discovery Timeline
- 2026-05-14 - CVE-2026-6504 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-6504
Vulnerability Analysis
The vulnerability resides in the rendering logic of the Posts Timeline and Video Playlist widgets shipped with Royal Elementor Addons and Templates. Both widgets accept a title_tag parameter that controls the HTML tag wrapping displayed titles. The plugin writes this attacker-controlled value into rendered output without applying adequate sanitization or escaping. As a result, an authenticated attacker can supply a crafted title_tag value containing script content that the plugin emits directly into the page DOM. The injected script then runs in the context of every user who visits the page, including administrators.
Root Cause
The plugin fails to validate title_tag against an allow-list of safe HTML tag names and does not pass the value through WordPress escaping helpers such as tag_escape() or esc_html() before output. Because the field is intended to hold structural markup, developers omitted the escaping that would normally apply to free-form text fields. Stored content is rendered on subsequent page loads, making the injection persistent.
Attack Vector
Exploitation requires an authenticated account with at least Contributor privileges. The attacker creates or edits a post or page containing one of the affected widgets and supplies a malicious payload via the title_tag field. The payload is saved to the database and executed each time the page is rendered. Because the attack is network-accessible and changes the security scope (executing in the context of higher-privileged users who view the content), it can be chained to escalate privileges within the WordPress site. Technical details and the corrective code changes are available in the WordPress Plugin Change Log for posts-timeline and the WordPress Plugin Change Log for video-playlist.
Detection Methods for CVE-2026-6504
Indicators of Compromise
- Post or page records in wp_posts containing serialized Elementor data where the title_tag field includes <script>, onerror=, onload=, or javascript: strings.
- Unexpected outbound requests from administrator browsers to attacker-controlled domains after viewing posts that use Posts Timeline or Video Playlist widgets.
- Newly created administrator accounts or modified user roles following Contributor activity on pages containing the affected widgets.
Detection Strategies
- Audit Elementor page metadata for non-standard title_tag values that fall outside expected tags such as h1 through h6, div, span, or p.
- Review the wp_posts and wp_postmeta tables for HTML event handlers or script tags embedded in widget configurations.
- Correlate Contributor-level edits with subsequent administrator session anomalies in web access logs.
Monitoring Recommendations
- Enable WordPress audit logging to track post edits performed by Contributor and Author accounts.
- Monitor web server logs for POST requests to admin-ajax.php and the Elementor editor endpoints originating from low-privilege users.
- Alert on Content Security Policy violation reports referencing inline script execution on pages using Royal Elementor widgets.
How to Mitigate CVE-2026-6504
Immediate Actions Required
- Update the Royal Elementor Addons and Templates plugin to the version that includes changeset 3525351 which addresses both affected widgets.
- Review all existing posts and pages that use the Posts Timeline or Video Playlist widgets and inspect the title_tag values for malicious content.
- Rotate credentials and invalidate sessions for any administrator account that may have viewed compromised content.
Patch Information
The vendor addressed the issue in the changeset referenced by the Wordfence Vulnerability Report. Upgrade beyond version 1.7.1058 to receive the fix that adds proper sanitization and output escaping for title_tag in wpr-posts-timeline.php and wpr-video-playlist.php.
Workarounds
- Restrict Contributor and Author roles from editing pages that contain Royal Elementor widgets until the plugin is updated.
- Deactivate the Royal Elementor Addons and Templates plugin if an immediate patch cannot be applied and the affected widgets are in use.
- Deploy a Content Security Policy that disallows inline scripts to reduce the impact of stored XSS payloads.
- Enforce a web application firewall rule that blocks title_tag values containing characters outside an HTML tag allow-list.
# Configuration example: enumerate posts containing suspicious title_tag values
wp db query "SELECT ID, post_title FROM wp_posts \
WHERE post_content LIKE '%title_tag%' \
AND (post_content LIKE '%<script%' \
OR post_content LIKE '%onerror=%' \
OR post_content LIKE '%javascript:%');"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
