CVE-2025-5338: 
WordPress vulnerability analysis and mitigation

The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting (CVE-2025-5338) in all versions up to and including 1.7.1024. The vulnerability was discovered and disclosed on June 25, 2025 (NVD, Wiz).

The vulnerability exists due to insufficient input sanitization and output escaping on user-supplied attributes across multiple widgets. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows attackers to inject and execute malicious JavaScript code in the context of other users' browsers who visit the affected pages. This could lead to theft of sensitive information, session hijacking, or other client-side attacks against site visitors (Wiz).

Users should update to a version newer than 1.7.1024 once available. Until then, it is recommended to restrict contributor and author access to only trusted users, and carefully review any content created using the Royal Elementor Addons plugin (Wiz).