Impact
The vulnerability is an unauthenticated Cross Site Scripting flaw in the Royal Elementor Addons Pro plugin for WordPress, affecting all versions earlier than 1.7.1041. It allows user‑supplied input to be injected into the page content rendered by the plugin, enabling malicious scripts to run in the browsers of any site visitor. The primary impact is the execution of arbitrary client‑side code, which can lead to theft of credentials, session hijacking, defacement, or further social engineering.
Affected Systems
The affected product is the Royal Elementor Addons Pro plugin for WordPress. Versions before 1.7.1041 are impacted. All WordPress sites that have installed an unpatched version of this plugin are therefore vulnerable. The issue is confined to environments where the plugin is active and accessible through standard web requests.
Risk and Exploitability
The CVSS score of 7.1 indicates a high severity for this XSS vulnerability. Because it is unauthenticated, any visitor to the WordPress site can exploit it, making the attack vector Web‑based. The likely attack vector is web‑based, inferred from the nature of the flaw. The vulnerability is not listed in the CISA KEV catalog, and EPSS data is not available.
OpenCVE Enrichment