CVE-2026-39597: WordPress WPZOOM Addons for Elementor plugin <= 1.3.4 - Reflected Cross Site Scripting (XSS) vulnerability

Synopsis

Reflected Cross-Site Scripting (XSS) in WPZOOM Addons for Elementor (versions 1.3.4 and below) allows an unauthenticated remote attacker to inject malicious scripts into a victim's browser session. The vulnerability is reachable over the network and requires no login, but does require tricking a user into clicking a crafted link. Successful exploitation lets the attacker execute arbitrary JavaScript in the victim's browser context, enabling session hijacking, credential theft, or page content manipulation. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityRequired

  The attacker delivers the malicious payload over the network by sending the victim a crafted URL pointing to the vulnerable WordPress site.

• AuthenticationNot required

  No account or credentials are needed; the vulnerability is exploitable by any unauthenticated party.

• Victim interactionRequired

  A victim must click or follow a specially crafted link, making this a social-engineering-dependent attack.

• Attack complexityDetail

  Exploitation is straightforward and condition-free once a victim opens the crafted link; no race conditions or special environment state are required.

Blast Radius

• Attacker executes arbitrary JavaScript in the victim's browser session, enabling theft of session cookies and authentication tokens.
• Attacker can read or exfiltrate any page content visible to the victim, including form inputs and displayed user data.
• Attacker can modify the rendered page to serve fake login forms or redirect the victim to attacker-controlled sites.
• With Limited impact on availability, the attacker can disrupt the victim's browsing session or cause client-side errors that degrade page functionality.