The vulnerability is a Server Side Request Forgery flaw that allows an attacker to induce the WordPress site to send HTTP/HTTPS requests to arbitrary destinations controlled by the attacker. Depending on the target, this could expose sensitive data, expose internal network resources, or enable further compromise. The weakness is classified as CWE-918, indicating a lack of proper validation of user-supplied URLs. While the CVSS score of 5.4 suggests moderate severity, the flaw still poses a risk to confidentiality and integrity when misused.

The affected product is the Traveler Layout Essential For Elementor plugin from shinetheme, versions up to and including 1.3.x (all releases before version 1.4). Site owners using any vulnerable installation of the plugin—such as the commonly cited 1.0.8 build—are at risk.

The EPSS score of less than 1% indicates a very low probability of exploitation in the wild, and the flaw is not listed in the CISA KEV catalog. Nonetheless, the attack vector is inferred to be a web request from a user with sufficient privileges (or via a crafted request) that can be directed to internal or public URLs. An attacker who can trigger the SSRF might retrieve internal service endpoints or force the server to perform actions that compromise the site’s security posture.