Royal Elementor Addons Pro
CVE-2026-40720
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Unauthenticated network-reachable XSS requiring victim click (UI:R), with scope change to the browser context and limited C/I/A impact typical of reflected XSS.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Royal Elementor Addons Pro < 1.7.1041 versions.
AnalysisAI
Unauthenticated reflected/stored cross-site scripting in Royal Elementor Addons Pro WordPress plugin versions prior to 1.7.1041 allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. No public exploit identified at time of analysis, but the unauthenticated nature combined with the popularity of Elementor-ecosystem plugins makes this a credible threat to WordPress sites running the Pro variant. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Target WordPress site must have Royal Elementor Addons Pro installed and activated at a version below 1.7.1041, with at least one page exposing the vulnerable widget/shortcode/endpoint to unauthenticated visitors. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L yields 7.1 (High), driven primarily by the scope change (S:C) - characteristic of XSS where script executes in a different security context (the victim's session) than the vulnerable component. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL targeting a vulnerable Royal Elementor Addons Pro endpoint or shortcode-rendered page with a malicious payload in a reflected parameter, then phishes a site visitor or administrator into clicking it; the victim's browser executes the injected JavaScript in the WordPress site origin, enabling session-cookie theft, forced administrative actions via CSRF-style abuse, or covert redirection to malware. No public exploit identified at time of analysis, but exploitation requires only standard browser tooling once the vulnerable parameter is known. |
| Remediation | Vendor-released patch: upgrade Royal Elementor Addons Pro to version 1.7.1041 or later via the WordPress plugin update mechanism or by downloading the latest build from the vendor account portal, per the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wpr-addons-pro/vulnerability/wordpress-royal-elementor-addons-pro-plugin-1-7-1041-cross-site-scripting-xss-vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all WordPress installations running Royal Elementor Addons Pro and document current plugin versions in use. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today