Skip to main content

Royal Addons For Elementor Addons And Templates Kit For Elementor

1 CVEs product

Monthly

CVE-2026-8118 MEDIUM This Month

Arbitrary file read in Royal Addons for Elementor versions 1.7.1058-1.7.1059 allows authenticated attackers with Contributor-level access to retrieve the contents of any file readable by the PHP process - including wp-config.php and its database credentials - via a crafted wpr-data-table widget saved through Elementor's save_builder endpoint. The flaw is a regression: the vulnerable wpr_get_csv_handle() helper was itself introduced in version 1.7.1058 as the remediation for a prior CVE (CVE-2026-6229), meaning the security patch introduced a new, exploitable path. No public exploit has been identified at time of analysis, but the low privilege bar (Contributor) and high-value disclosure target (database credentials) elevate real-world risk on WordPress sites that permit open or low-friction contributor registration.

PHP WordPress Information Disclosure Royal Addons For Elementor Addons And Templates Kit For Elementor
NVD
CVSS 3.1
6.5
EPSS
0.2%
EPSS 0% CVSS 6.5
MEDIUM This Month

Arbitrary file read in Royal Addons for Elementor versions 1.7.1058-1.7.1059 allows authenticated attackers with Contributor-level access to retrieve the contents of any file readable by the PHP process - including wp-config.php and its database credentials - via a crafted wpr-data-table widget saved through Elementor's save_builder endpoint. The flaw is a regression: the vulnerable wpr_get_csv_handle() helper was itself introduced in version 1.7.1058 as the remediation for a prior CVE (CVE-2026-6229), meaning the security patch introduced a new, exploitable path. No public exploit has been identified at time of analysis, but the low privilege bar (Contributor) and high-value disclosure target (database credentials) elevate real-world risk on WordPress sites that permit open or low-friction contributor registration.

PHP WordPress Information Disclosure +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy