CVE-2025-26990 MEDIUM

CVE-2025-26990: WordPress Royal Elementor Addons plugin <= 1.7.1006 - Server Side Request Forgery (SSRF) vulnerability

Vendor Wp Royal
Product Royal Elementor Addons
Weakness CWE-918 · SSRF
Published April 15, 2025
Last update April 28, 2026

CVSS base score

4.4/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Server-Side Request Forgery (SSRF) vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Server Side Request Forgery.This issue affects Royal Elementor Addons: from n/a through <= 1.7.1006.

Explanation of Vulnerability in Simple Terms

02Summary

Royal Elementor Addons versions up to 1.7.1006 contain a server-side request forgery vulnerability. An authenticated administrator can craft requests that cause the site to make HTTP calls to internal or external systems on the attacker's behalf. The vulnerability requires high privileges and complex attack conditions, limiting its practical impact but potentially exposing internal services or data.

What an attacker can do

03Attacker Capabilities

Make the site send HTTP requests to internal or external systems without authorization.

Potential impact on your site

04Site Impact

An admin account compromise could expose internal services, APIs, or data accessible from your server.

Conditions required to exploit

05Prerequisites

Administrator account access and knowledge of internal network topology or target URLs.

Key dates

06Disclosure timeline

April 15, 2025 CVE published
April 28, 2026 Record updated