Vulnerabilities ›

CVE-2026-4803

High

CWE-79 — Weakness Type

                    Published: May 5, 2026                      ·  Modified: May 12, 2026                      ·  Source: NVD                

CVSS v3

7.2

🔗 NVD Official

📄 Description (English)

The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'status' parameter in the wpr_update_form_action_meta AJAX action in all versions up to, and including, 1.7.1056. This is due to insufficient input sanitization and output escaping, combined with a publicly leaked nonce that allows unauthenticated access to the AJAX handler. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

🤖 AI Executive Summary

CVE-2026-4803 is a critical Stored XSS vulnerability in Royal Elementor Addons WordPress plugin affecting versions up to 1.7.1056. The vulnerability allows unauthenticated attackers to inject malicious scripts via the 'status' parameter in an AJAX action due to insufficient input sanitization and a publicly leaked nonce. This poses significant risk to Saudi organizations using WordPress-based websites, particularly those in e-commerce, government portals, and corporate communications.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 8, 2026 20:23

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability poses significant risk to Saudi organizations across multiple sectors: (1) E-commerce and retail platforms using WordPress for online sales; (2) Government agencies and municipalities operating public-facing portals; (3) Banking and financial services using WordPress for customer-facing websites; (4) Healthcare providers with patient information portals; (5) Telecommunications companies with customer service platforms; (6) Educational institutions with WordPress-based learning management systems. The unauthenticated nature and publicly leaked nonce make this particularly dangerous for organizations with inadequate security monitoring.

🏢 Affected Saudi Sectors

E-commerce and Retail Government and Public Administration Banking and Financial Services Healthcare and Medical Services Telecommunications Education and Universities Media and Publishing Hospitality and Tourism

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1598 - Phishing T1566 - Phishing T1204 - User Execution T1059 - Command and Scripting Interpreter T1005 - Data from Local System T1041 - Exfiltration Over C2 Channel

⚖️ Saudi Risk Score (AI)

8.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all WordPress installations using Royal Elementor Addons plugin version 1.7.1056 or earlier

2. Disable the plugin immediately if no patch is available

3. Audit website logs for suspicious AJAX requests to 'wpr_update_form_action_meta' endpoint

4. Search database for stored XSS payloads in form metadata



PATCHING GUIDANCE:

1. Monitor Royal Elementor Addons official repository for security updates

2. When patch becomes available, update to version 1.7.1057 or later immediately

3. Test updates in staging environment before production deployment



COMPENSATING CONTROLS (if patch unavailable):

1. Implement Web Application Firewall (WAF) rules to block requests to 'wpr_update_form_action_meta' AJAX action

2. Apply input validation at WAF level to reject requests with suspicious characters in 'status' parameter

3. Implement Content Security Policy (CSP) headers to prevent inline script execution

4. Disable AJAX functionality for unauthenticated users via WordPress security plugins

5. Implement rate limiting on AJAX endpoints



DETECTION RULES:

1. Monitor for POST requests to '/wp-admin/admin-ajax.php?action=wpr_update_form_action_meta'

2. Alert on 'status' parameter containing: <script>, javascript:, onerror=, onload=, event handlers

3. Monitor database for sudden changes to form metadata containing script tags

4. Track user sessions accessing pages with injected content

5. Log all AJAX requests from unauthenticated users

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع تثبيتات WordPress التي تستخدم إضافة Royal Elementor Addons الإصدار 1.7.1056 أو أقدم

2. تعطيل الإضافة فوراً إذا لم يكن هناك تصحيح متاح

3. تدقيق سجلات الموقع للطلبات المريبة إلى نقطة نهاية AJAX

4. البحث في قاعدة البيانات عن حمولات XSS المخزنة في بيانات النموذج

إرشادات التصحيح:

1. مراقبة مستودع Royal Elementor Addons الرسمي للتحديثات الأمنية

2. عند توفر التصحيح، قم بالتحديث إلى الإصدار 1.7.1057 أو أحدث فوراً

3. اختبر التحديثات في بيئة التدريج قبل نشرها في الإنتاج

الضوابط البديلة (إذا لم يكن التصحيح متاحاً):

1. تطبيق قواعد جدار حماية تطبيقات الويب لحظر الطلبات إلى إجراء AJAX

2. تطبيق التحقق من صحة المدخلات على مستوى WAF لرفض الطلبات ذات الأحرف المريبة

3. تطبيق رؤوس سياسة أمان المحتوى لمنع تنفيذ النصوص البرمجية المضمنة

4. تعطيل وظيفة AJAX للمستخدمين غير المصرح لهم

5. تطبيق تحديد معدل على نقاط نهاية AJAX

قواعد الكشف:

1. مراقبة طلبات POST إلى نقطة نهاية AJAX

2. التنبيه على معامل 'status' يحتوي على: <script>، javascript:، onerror=، onload=

3. مراقبة قاعدة البيانات للتغييرات المفاجئة في بيانات النموذج

4. تتبع جلسات المستخدم التي تصل إلى الصفحات المحقونة

5. تسجيل جميع طلبات AJAX من المستخدمين غير المصرح لهم

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1.1 - Input validation and output encoding controls 5.2.1 - Web application security requirements 5.3.2 - Security testing and vulnerability assessment 6.1.1 - Incident detection and response

🔵 SAMA CSF

ID.BE-5 - Cybersecurity risk management processes PR.DS-1 - Data security and protection PR.IP-1 - Security policy and process establishment DE.CM-1 - Detection and analysis of anomalies

🟡 ISO 27001:2022

A.14.2.1 - Secure development policy A.14.2.5 - Secure development environment A.14.3.1 - Separation of development, test and production environments A.12.6.1 - Management of technical vulnerabilities

🟣 PCI DSS v4.0.1

6.5.1 - Injection flaws prevention 6.5.7 - Cross-site scripting (XSS) prevention 6.2 - Security patches and updates

🔗 References & Sources 6

🔗

https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/plugin.php#L613

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/changeset/3503219/royal-elementor-addons/trunk/class...

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/c91a14d3-bc41-4490-888c-486ad...

security@wordfence.com

📊 CVSS Score

7.2

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeC — Changed

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity High

CVSS Score7.2

CWECWE-79

EPSS0.14%

Exploit No

Patch ✗ No

Published 2026-05-05

Source Feed nvd

🇸🇦 Saudi Risk Score

8.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-79

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-4803

💬 Comments

Introduce Yourself

Sign In Required