What the vulnerability does
01Description
The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.7.1057. This is due to insufficient validation of user-supplied URLs in the render_csv_data() function, which can be bypassed by including 'docs.google.com/spreadsheets' in a query parameter, and the subsequent use of these URLs in fopen() calls without blocking internal or private network addresses. This makes it possible for authenticated attackers, with Contributor-level access and above, to make requests to arbitrary URLs and retrieve sensitive information from internal services.
Explanation of Vulnerability in Simple Terms
02Summary
Royal Addons for Elementor contains a server-side request forgery vulnerability that allows unauthenticated attackers to make the site send HTTP requests to internal or external systems on their behalf. The vulnerability affects all versions up to 1.7.1057. An attacker can read sensitive data from internal services or interact with external APIs without authorization. Site owners should update to a version newer than 1.7.1057 immediately.
What an attacker can do
03Attacker Capabilities
Make the site send HTTP requests to internal systems or external services to read data or perform actions.
Potential impact on your site
04Site Impact
Attackers can access internal services, read sensitive data, or interact with external APIs through your site.
Conditions required to exploit
05Prerequisites
No authentication or user interaction required; attacker needs only network access to the site.
Key dates
06Disclosure timeline
May 2, 2026
CVE published
May 4, 2026
Record updated