Skip to main content

WPZOOM Addons for Elementor CVE-2026-39597

| EUVDEUVD-2026-37590 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-17 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable WordPress endpoint (AV:N), trivial reflected payload (AC:L), no attacker auth (PR:N), victim click required (UI:R); scope change reflects script executing in victim's site context with low C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
CVE Published
Jun 22, 2026 - 06:03 cve.org
HIGH 7.1
Analysis Generated
Jun 17, 2026 - 12:20 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in WPZOOM Addons for Elementor <= 1.3.4 versions.

AnalysisAI

Reflected cross-site scripting in the WPZOOM Addons for Elementor WordPress plugin (versions 1.3.4 and earlier) allows unauthenticated remote attackers to inject arbitrary script into a victim's browser session by tricking them into following a crafted link. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 7.1 with scope change, reflecting potential impact on the broader WordPress site context; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running vulnerable plugin
Delivery
Craft URL with reflected XSS payload
Exploit
Deliver link to WordPress admin via phishing
Execution
Admin clicks link in authenticated session
Persist
Payload executes under site origin
Impact
Hijack session or create rogue admin account

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target WordPress site has the WPZOOM Addons for Elementor plugin installed and active at version 1.3.4 or earlier, and that a victim user - most impactful if an authenticated administrator - clicks an attacker-crafted URL containing the reflected payload (UI:R in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L indicates network-reachable, low-complexity exploitation by an unauthenticated attacker, but requires user interaction (clicking a crafted link), which substantially limits opportunistic mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL targeting a vulnerable parameter in the WPZOOM Addons for Elementor plugin on a victim WordPress site and delivers it via phishing email, forum post, or social media to a logged-in administrator. When the admin clicks the link, the reflected payload executes in their authenticated browser session, allowing the attacker to perform actions such as creating a new admin user, injecting a malicious post, or exfiltrating session cookies. …
Remediation Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the provided intelligence - administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wpzoom-elementor-addons/vulnerability/wordpress-wpzoom-addons-for-elementor-plugin-1-3-4-reflected-cross-site-scripting-xss-vulnerability and update to the next release above 1.3.4 once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-39597 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy