CVE-2026-40720: WordPress Royal Elementor Addons Pro plugin < 1.7.1041 - Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting (XSS) in Royal Elementor Addons Pro < 1.7.1041 versions.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- 1.7.1041
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a reflected or stored cross-site scripting (XSS) vulnerability in the Royal Elementor Addons Pro WordPress plugin, affecting all versions below 1.7.1041. The flaw is reachable over the network without any authentication, but requires a victim to interact with a malicious link or page for the attack to succeed. Successful exploitation lets an attacker inject and run arbitrary JavaScript in the victim's browser, enabling session hijacking, credential theft, or unauthorized actions taken on the victim's behalf. A patched-image rebuild at version 1.7.1041 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the Royal Elementor Addons Pro plugin. Coverage applies to images in both connected registries and active CI/CD pipelines.
AvailableHarborGuard scores this finding at CVSS 7.1 (HIGH) and surfaces it accordingly in each customer environment, weighted against that environment's compliance policy to determine priority and routing. Findings are directed to the team or inbox configured for that severity tier within each customer org.
AvailableA patched-image rebuild at version 1.7.1041 becomes available on HarborGuard for any environment found running an affected version of the plugin. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test pass, and opens a pull request against the affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the target WordPress site over the network; no local or physical access is needed.
- AuthenticationNot required
No account or credentials are needed; the attack can be launched by any unauthenticated party.
- Victim interactionRequired
A victim must take an action such as clicking a crafted link or visiting a malicious page for the injected script to execute in their browser.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental factors need to align for it to succeed.
Blast Radius
- Reads session cookies or authentication tokens from the victim's browser, enabling account takeover.
- Exfiltrates form input and credentials entered by the victim on the affected WordPress site.
- Performs unauthorized actions within the application on the victim's behalf, such as changing account settings or submitting data.
- Injects visible content or redirects into the page, enabling phishing or further social-engineering attacks against the victim.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of a scan against any image containing Royal Elementor Addons Pro below 1.7.1041, covering both registry-stored and pipeline-built images. Where compliance policy permits, auto-remediation triggers a rebuild at the patched version (1.7.1041), runs a regression test suite against the new image, and opens a pull request against affected workloads. For environments with auto-remediation enabled, the median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes. Customers who manage remediation manually will see the finding surfaced in their HarborGuard dashboard with the fix version, affected image list, and recommended action.
Fix available
- Royal Elementor Addons / Royal Elementor Addons Pro< 1.7.1041 (from n/a)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L