Attackers can trick admins into changing plugin settings in Royal Elementor Addons. This CSRF flaw lets attackers perform actions without consent. It carries the highest CVSS score on this list. Protect your site now.
CVE-2026-5428: What Is the Risk?
This vulnerability scores 6.4 on the CVSS scale. It is a Cross-Site Request Forgery (CSRF) issue. Attackers can force administrators to execute unwanted actions. They can change plugin configuration. They might disable security features. The attack requires user interaction but is easy to exploit.
Vulnerability Description
CVE-2026-5428 affects the Royal Elementor Addons plugin. This plugin adds widgets and features to Elementor. The plugin does not use CSRF tokens in its forms. It does not verify the origin of requests. This allows attackers to forge requests.
An attacker creates a malicious link or page. They trick an admin into clicking it. The admin browser sends a request to the site. The request changes plugin settings. The admin never intended to make these changes. The server sees a valid session and executes the action.
Attackers can change widgets settings. They can modify global plugin options. They might inject malicious content. They could create new admin users if the plugin allows it. The impact depends on which settings the plugin exposes.
Affected Versions
All versions of Royal Elementor Addons are affected. The vendor has released a security fix. Check your plugin version immediately. Update to the patched version without delay. Unpatched versions are an easy target.
How to Fix It
Update Royal Elementor Addons to the latest version. Go to your WordPress admin dashboard. Navigate to Plugins and find Royal Elementor Addons. Click Update Now. The fix adds CSRF tokens to all forms. It validates request origins. It uses WordPress nonce functions properly.
Educate your admin users about phishing attacks. Tell them not to click suspicious links. Use a web application firewall. Keep your WordPress core updated. Enable automatic updates for plugins. This reduces your exposure to CSRF and similar attacks.
What Are Royal Elementor Addons?
Royal Elementor Addons is a popular page builder plugin with over 200,000 active installations. It extends Elementor with additional widgets, templates, and design options. Web designers use it to create complex layouts without writing code.
CSRF vulnerabilities in page builder plugins are dangerous because attackers can modify site content without permission.
CVE-2026-5428 Explained
CVE-2026-5428 is a Cross-Site Request Forgery vulnerability. The plugin does not include nonce verification on its settings forms. An attacker can craft a malicious link that, when clicked by an authenticated admin, changes plugin settings or imports malicious template data.
This vulnerability allows an attacker to modify the plugin’s settings, inject content into posts, or install malicious templates. The attack happens without the admin realizing anything is wrong.
Versions at Risk
Royal Elementor Addons versions 1.0.0 to 1.3.98 are affected. Version 1.3.99 adds CSRF protection. Update immediately if you are below version 1.3.99.
Update Instructions
Open your plugins page and update Royal Elementor Addons. After the update, review your site for any unauthorized changes to layouts or settings. Enable a WAF to block CSRF attempts at the network level.
The Royal Elementor Addons plugin is available on wordpress.org/plugins/royal-elementor-addons/.