Stored Cross-Site Scripting Vulnerability in Royal Elementor Addons for WordPress
CVE-2024-12120

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Royal Elementor Addons And Templates
Vendor: CVE Published:; 7 May 2025

What is CVE-2024-12120?

The Royal Elementor Addons and Templates plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability. This issue arises from the inadequacy of input sanitization and output escaping on the Countdown widget's display_message_text parameter. Authenticated attackers, who have Contributor-level access and above, can exploit this flaw to inject arbitrary scripts into pages. These scripts will execute whenever users visit the compromised pages, posing significant risks to user data and website integrity. It's crucial for users of the plugin to update to the latest version to mitigate this vulnerability.

Affected Version(s)

Royal Elementor Addons and Templates * <= 1.7.1017

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3236381/roya...

https://plugins.trac.wordpress.org/changeset/3285549/roya...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2025
Vulnerability Reserved
Dec 3, 2024

Credit

D.Sim