Royal Elementor Addons <= 1.7.1049 — Authenticated Contributor Stored XSS via REST API Meta Bypass (CVE-2026-0664)

Plugin Name	Royal Elementor Addons
Type of Vulnerability	Cross-Site Scripting (XSS)
CVE Number	CVE-2026-0664
Urgency	Low
CVE Publish Date	2026-04-03
Source URL	CVE-2026-0664

Royal Elementor Addons <= 1.7.1049 — Authenticated Contributor Stored XSS via REST API Meta Bypass (CVE-2026-0664)

Date: 3 April 2026 Severity: Low (CVSS 6.5) Affected versions: Royal Elementor Addons ≤ 1.7.1049 Patched in: 1.7.1050 Required privilege: Contributor (authenticated)

As a Hong Kong security specialist with experience reviewing WordPress plugin risks and incident response, this advisory explains CVE-2026-0664, the practical impact for site owners and administrators, detection techniques, immediate mitigations, and longer-term defensive measures. The vulnerability permits an authenticated Contributor to persist JavaScript via REST API meta handling due to insufficient sanitization. Exploitation typically requires a privileged user to later render the stored content, so context matters — but stored XSS remains a high-risk technique for account compromise and persistence.

Executive summary

What happened: A REST API meta-handling flaw in Royal Elementor Addons allowed Contributors to store arbitrary HTML/JS in postmeta or plugin meta fields without appropriate sanitization.
Who can initiate it: Any authenticated user with Contributor privileges on the affected site.
Likely impact: Stored XSS — the malicious script persists and executes when another user (often an Editor or Administrator) views or interacts with affected content. Possible outcomes include session theft, account compromise, unauthorized admin actions, site defacement, and installation of backdoors.
Immediate remediation: Update Royal Elementor Addons to version 1.7.1050 or later. If immediate update is not possible, apply mitigations below (restrict contributor activity, virtual patching via WAF or server rules, sanitize suspect meta, audit users).
Long term: Enforce least privilege, sanitize inputs, harden REST API access, monitor for suspicious requests and stored scripts, and adopt layered protections and monitoring.

How the vulnerability works (high level technical overview)

The plugin exposes REST endpoints that accept metadata. A flaw in meta handling allowed Contributor-supplied values containing HTML and


			
			
			





		
		
					
				       
    
  
  
 
 
    
  Review My Order
 0 
    
 
    Suggested for you
    
   
 
 
   
 
     Subtotal
 Taxes & shipping calculated at checkout
 
   
 
     Checkout  
 
 
 
 
 
  
 
      
 0 
 














































Notifications

        
        
        


        
        

    
            
            English
            
                                    Chinese (Hong Kong)                                    Chinese (China)                                    Spanish                                    Hindi                                    French

Security Advisory XSS in Royal Elementor Addons(CVE20260664)

Royal Elementor Addons <= 1.7.1049 — Authenticated Contributor Stored XSS via REST API Meta Bypass (CVE-2026-0664)

Executive summary

How the vulnerability works (high level technical overview)