CVE-2025-3813: 
WordPress vulnerability analysis and mitigation

The Royal Elementor Addons and Templates plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-3813) discovered in May 2025. The vulnerability affects all versions up to and including 1.7.1020, and is related to insufficient input sanitization and output escaping in the 'elementordata' parameter. This security issue has been assigned a CVSS v3.1 base score of 6.4 (Medium) (NVD, Wiz).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 6.4 (Medium). The attack vector requires an authenticated user with Contributor-level access or higher. The vulnerability stems from improper input validation and output escaping in the plugin's form submission handling, specifically in the 'elementordata' parameter (Wordfence).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized actions or data theft (NVD).

Users should upgrade to version 1.7.1021 or later of the Royal Elementor Addons and Templates plugin, which contains the security fix. The update implements proper input sanitization and output escaping for the affected parameter (WordPress Plugin).