Description
Unauthenticated Cross Site Scripting (XSS) in Royal Elementor Addons Pro < 1.7.1041 versions.
Published: 2026-06-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated Cross Site Scripting flaw in the Royal Elementor Addons Pro plugin for WordPress, affecting all versions earlier than 1.7.1041. It allows user‑supplied input to be injected into the page content rendered by the plugin, enabling malicious scripts to run in the browsers of any site visitor. The primary impact is the execution of arbitrary client‑side code, which can lead to theft of credentials, session hijacking, defacement, or further social engineering.

Affected Systems

The affected product is the Royal Elementor Addons Pro plugin for WordPress. Versions before 1.7.1041 are impacted. All WordPress sites that have installed an unpatched version of this plugin are therefore vulnerable. The issue is confined to environments where the plugin is active and accessible through standard web requests.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity for this XSS vulnerability. Because it is unauthenticated, any visitor to the WordPress site can exploit it, making the attack vector Web‑based. The likely attack vector is web‑based, inferred from the nature of the flaw. The vulnerability is not listed in the CISA KEV catalog, and EPSS data is not available.

Generated by OpenCVE AI on June 18, 2026 at 14:30 UTC.

Remediation

Vendor Solution

Update the WordPress Royal Elementor Addons Pro Plugin to the latest available version (at least 1.7.1041).


OpenCVE Recommended Actions

  • Update the Royal Elementor Addons Pro plugin to version 1.7.1041 or later to receive the security fix.
  • If a quick upgrade is not feasible, temporarily disable the plugin or the specific features that accept untrusted input until a patch can be applied.
  • Apply strict input validation and output sanitization to all content handled by the plugin, ensuring that only safe HTML is rendered, to mitigate any residual XSS risks.

Generated by OpenCVE AI on June 18, 2026 at 14:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Royal-elementor-addons
Royal-elementor-addons royal Elementor Addons
Wordpress
Wordpress wordpress
Vendors & Products Royal-elementor-addons
Royal-elementor-addons royal Elementor Addons
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in Royal Elementor Addons Pro < 1.7.1041 versions.
Title WordPress Royal Elementor Addons Pro plugin < 1.7.1041 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Royal-elementor-addons Royal Elementor Addons
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:02:23.169Z

Reserved: 2026-04-15T09:19:20.452Z

Link: CVE-2026-40720

cve-icon Vulnrichment

Updated: 2026-06-17T14:02:19.903Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T13:15:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')