Description
Unauthenticated Cross Site Scripting (XSS) in WPZOOM Addons for Elementor <= 1.3.4 versions.
Published: 2026-06-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated cross‑site scripting has been discovered in the WPZOOM Addons for Elementor WordPress plugin, affecting all releases up to and including version 1.3.4. The flaw allows an attacker to inject arbitrary client‑side code that will execute in the browsers of visitors who load a page rendering the plugin.

Affected Systems

The issue impacts the WPZOOM Addons for Elementor plugin, which is installed on WordPress sites that use the Elementor page builder. All installations running plugin version 1.3.4 or earlier are affected.

Risk and Exploitability

The CVSS base score of 7.1 indicates a medium‑to‑high risk. Based on the description, it is inferred that the attack can be performed by an unauthenticated user over a network, potentially via crafted URLs or content that triggers the plugin’s processing. EPSS data is not available, so the likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 18, 2026 at 14:34 UTC.

Remediation

Vendor Solution

Update the WordPress WPZOOM Addons for Elementor Plugin to the latest available version (at least 1.3.5).


OpenCVE Recommended Actions

  • Update the WPZOOM Addons for Elementor plugin to version 1.3.5 or later.
  • If an upgrade cannot be performed immediately, disable or uninstall the plugin until the patch is applied.
  • Optionally deploy a content security policy that restricts inline scripts from the plugin’s domain to mitigate the impact while remediation is pending.

Generated by OpenCVE AI on June 18, 2026 at 14:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpzoom
Wpzoom wpzoom Addons For Elementor
Vendors & Products Wordpress
Wordpress wordpress
Wpzoom
Wpzoom wpzoom Addons For Elementor

Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in WPZOOM Addons for Elementor <= 1.3.4 versions.
Title WordPress WPZOOM Addons for Elementor plugin <= 1.3.4 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Wordpress Wordpress
Wpzoom Wpzoom Addons For Elementor
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:27:08.336Z

Reserved: 2026-04-07T10:48:50.116Z

Link: CVE-2026-39597

cve-icon Vulnrichment

Updated: 2026-06-17T14:26:56.605Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:45:11Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')