CVE-2026-40720
Deferred Deferred - Pending Action
Unauthenticated XSS in Royal Elementor Addons Pro

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Unauthenticated Cross Site Scripting (XSS) in Royal Elementor Addons Pro < 1.7.1041 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-40720
EUVD
EUVD-2026-37692
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
royal_elementor_addons royal_elementor_addons_pro to 1.7.1041 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows attackers to inject malicious scripts into websites, which could lead to unauthorized actions such as redirects or execution of harmful payloads. This type of Cross Site Scripting (XSS) attack can potentially compromise the confidentiality, integrity, and availability of data handled by the affected website.

Such security weaknesses may impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and attacks. If exploited, the vulnerability could lead to data breaches or unauthorized data processing, thereby violating these regulations.

Immediate remediation by updating the plugin to a secure version is advised to maintain compliance and reduce risk.

Executive Summary

The WordPress Royal Elementor Addons Pro Plugin, prior to version 1.7.1041, is vulnerable to a Cross Site Scripting (XSS) attack. This vulnerability allows attackers to inject malicious scripts into websites, which can execute when visitors access the site.

Such malicious scripts could lead to harmful actions like redirects, displaying unwanted advertisements, or other damaging payloads.

Exploitation requires a privileged user to perform an action such as clicking a malicious link or submitting a form.

Impact Analysis

If exploited, this vulnerability can lead to unauthorized script execution on your website, potentially causing redirects to malicious sites, unwanted advertisements, or other harmful effects.

This can compromise the security and integrity of your website, harm user trust, and expose visitors to further attacks.

Because the vulnerability can be targeted in mass-exploit campaigns, thousands of websites could be affected regardless of their size or popularity.

Detection Guidance

The vulnerability involves Cross Site Scripting (XSS) in the Royal Elementor Addons Pro plugin versions prior to 1.7.1041. Detection typically involves monitoring for suspicious script injections or unusual behavior on web pages using this plugin.

While no specific commands are provided in the available resources, general detection methods include reviewing web server logs for suspicious requests, scanning for known vulnerable plugin versions, and using web vulnerability scanners that detect XSS issues.

Mitigation Strategies

Immediate mitigation involves updating the Royal Elementor Addons Pro plugin to version 1.7.1041 or later, which contains the fix for this XSS vulnerability.

Until the update can be applied, applying the mitigation rule provided by Patchstack to block attacks targeting this vulnerability is advised.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40720. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart