A Stored XSS vulnerability in the Royal Elementor Addons plugin allows for potential script injection, necessitating an immediate plugin update.

The plugin is vulnerable to Stored Cross-Site Scripting (XSS) via the 'status' parameter in the wpr_update_form_action_meta AJAX action. This allows an authenticated attacker with sufficient privileges to inject malicious scripts that execute in the browser of other users, including administrators.

With a CVSS score of 7.2, this XSS vulnerability is a serious threat. It could lead to session hijacking, defacement of the website, or unauthorized administrative actions, severely impacting the site's security and trustworthiness.

Immediate Action: Update the Royal Elementor Addons plugin to the latest version immediately to patch the XSS vulnerability.

Proactive Monitoring: Monitor for suspicious script injections or unauthorized modifications to form settings within the WordPress dashboard.

Compensating Controls: Utilize a Web Application Firewall (WAF) with XSS protection rules to filter malicious payloads from being submitted to the vulnerable AJAX action.

Public Exploit Available: false

XSS vulnerabilities in popular plugins are frequently targeted. Administrators must apply updates promptly and strictly manage administrative access to minimize the risk of malicious script injection.