CVE-2026-2373 MEDIUM

CVE-2026-2373: Royal Addons for Elementor – Addons and Templates Kit for Elementor <= 1.7.1049 - Missing Authorization to Unauthenticated Custom Post Type Contents Exposure

Vendor Wproyal
Product Royal Addons for Elementor – Addons and Templates Kit for Elementor
Weakness CWE-862 · Missing authorization
Published March 17, 2026
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.1049 via the get_main_query_args() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract contents of non-public custom post types, such as Contact Form 7 submissions or WooCommerce coupons.

Explanation of Vulnerability in Simple Terms

02Summary

Royal Addons for Elementor contains a missing authorization flaw that allows unauthenticated attackers to read sensitive information over the network. The vulnerability affects all versions up to 1.7.1049. No user interaction is required to exploit this issue. Site administrators should update to a version newer than 1.7.1049 as soon as possible.

What an attacker can do

03Attacker Capabilities

Read sensitive information from the site without logging in.

Potential impact on your site

04Site Impact

Unauthorized users can access confidential data exposed by the plugin.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

March 17, 2026 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE