Skip to main content

Royal Elementor Addons CVE-2026-6229

| EUVD-2026-26757 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-02 Wordfence
SSRF Google WordPress Elementor
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 02, 2026 - 08:16 vuln.today
EUVD ID Assigned
May 02, 2026 - 08:00 euvd
EUVD-2026-26757
Analysis Generated
May 02, 2026 - 08:00 vuln.today
CVE Published
May 02, 2026 - 07:46 nvd
HIGH 7.2

DescriptionCVE.org

The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.7.1057. This is due to insufficient validation of user-supplied URLs in the render_csv_data() function, which can be bypassed by including 'docs.google.com/spreadsheets' in a query parameter, and the subsequent use of these URLs in fopen() calls without blocking internal or private network addresses. This makes it possible for authenticated attackers, with Contributor-level access and above, to make requests to arbitrary URLs and retrieve sensitive information from internal services.

AnalysisAI

Server-Side Request Forgery (SSRF) in Royal Elementor Addons plugin for WordPress allows authenticated attackers with Contributor-level permissions to bypass URL validation by including 'docs.google.com/spreadsheets' in query parameters, enabling requests to arbitrary internal URLs and retrieval of sensitive data from private network services. Affects versions up to 1.7.1057. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain Contributor WordPress credentials
Delivery
Access Elementor page editor
Exploit
Insert Data Table widget with crafted CSV URL
Install
Inject 'docs.google.com/spreadsheets' in query parameter
C2
Bypass URL validation
Execute
Target internal service via fopen()
Impact
Retrieve sensitive data from metadata endpoint
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Royal Elementor Addons plugin version 1.7.1057 or earlier must be installed and active on the WordPress site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk assessment reveals conflicting signals requiring careful interpretation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with Contributor-level WordPress credentials (or potentially no credentials if the CVSS PR:N vector is accurate) crafts a malicious Elementor page containing a Royal Addons Data Table widget. They configure the CSV data source parameter with a URL like 'http://169.254.169.254/latest/meta-data/iam/security-credentials/admin-role?fake=docs.google.com/spreadsheets' to target AWS instance metadata service. …
Remediation Apply the vendor-released patch by upgrading Royal Elementor Addons to version 1.7.1058 or later, as evidenced by the WordPress plugin repository changeset 3514363 at https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3514363%40royal-elementor-addons&new=3514363%40royal-elementor-addons&sfp_email=&sfph_mail=, which addresses the vulnerable render_csv_data() function. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit WordPress plugin inventory to identify all instances of Royal Elementor Addons and confirm installed versions against 1.7.1057 baseline; isolate affected WordPress instances from internal network access if possible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-8157 HIGH POC
8.8 Jun 22

The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new u
CVE-2026-8089 HIGH POC
7.1 Jun 17

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin

CVE-2026-9570 HIGH POC
7.1 Jun 17

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline

CVE-2026-4259 HIGH POC
7.1 Jun 22

The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outp
CVE-2026-6858 HIGH POC
7.1 Jun 22

The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthen

Share

CVE-2026-6229 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy