This vulnerability (CVE-2026-40720) is an instance of CWE-79: Improper Neutralization of Input During Web Page Generation, commonly known as cross-site scripting (XSS). It affects Royal Elementor Addons Pro versions before 1.7.1041 and can be exploited without authentication. The CVSS 3.1 score is 7.1, indicating a high severity with network attack vector, low attack complexity, no privileges required, user interaction required, and scope changed. The impact includes limited confidentiality, integrity, and availability loss. No patch or official remediation level has been disclosed as of the publication date.

Successful exploitation can allow attackers to execute arbitrary scripts in the context of the affected web application, potentially leading to partial disclosure of sensitive information, modification of data, or disruption of service. The vulnerability does not require authentication, increasing its risk. However, user interaction is required to trigger the exploit. The scope of impact extends beyond the vulnerable component.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider implementing web application firewall (WAF) rules to detect and block XSS payloads targeting this component. Avoid exposing vulnerable versions publicly and monitor for updates from the vendor.