Description
Server-Side Request Forgery (SSRF) vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Server Side Request Forgery.This issue affects Royal Elementor Addons: from n/a through <= 1.7.1006.
Published: 2025-04-15
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Server‑Side Request Forgery (SSRF) in the WP Royal Royal Elementor Addons plugin. It permits an attacker to cause the web server to issue HTTP(S) requests to arbitrary URLs. This could lead to disclosure of internal resources, data exfiltration, or denial of service. The weakness is described by CWE‑918, which represents an inadequate validation of user‑supplied input that results in arbitrary URL fetches.

Affected Systems

Affected systems are installations of the WordPress plugin Royal Elementor Addons by WP Royal, version 1.7.1006 or earlier. The plugin is distributed via WordPress and integrated into WordPress sites; any site using a vulnerable version is at risk.

Risk and Exploitability

The CVSS score of 4.4 indicates moderate severity. The EPSS score is less than 1 %, suggesting a low probability of exploitation. Since the vulnerability is not in the CISA KEV catalog, there is no evidence of active exploitation. Attackers would likely need to interact with a vulnerable site’s exposed endpoints, which could be triggered by a unauthenticated user or a user with plugin configuration privileges. Even with modest exploitation probability, the ability to reach internal networks remains a concern in highly protected environments.

Generated by OpenCVE AI on May 1, 2026 at 10:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Royal Elementor Addons to a version newer than 1.7.1006.
  • Disable or remove the Royal Elementor Addons plugin if it is not required for site functionality.
  • If upgrading is not immediately possible, configure the web server or network firewall to block outbound HTTP(S) requests from the web application to internal network addresses or to suspicious domains.

Generated by OpenCVE AI on May 1, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10942 Server-Side Request Forgery (SSRF) vulnerability in WP Royal Royal Elementor Addons allows Server Side Request Forgery. This issue affects Royal Elementor Addons: from n/a through 1.7.1006.
History

Tue, 28 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in WP Royal Royal Elementor Addons allows Server Side Request Forgery. This issue affects Royal Elementor Addons: from n/a through 1.7.1006. Server-Side Request Forgery (SSRF) vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Server Side Request Forgery.This issue affects Royal Elementor Addons: from n/a through <= 1.7.1006.
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Tue, 08 Jul 2025 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Royal-elementor-addons
Royal-elementor-addons royal Elementor Addons
CPEs cpe:2.3:a:royal-elementor-addons:royal_elementor_addons:*:*:*:*:*:wordpress:*:*
Vendors & Products Royal-elementor-addons
Royal-elementor-addons royal Elementor Addons

Tue, 15 Apr 2025 12:15:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in WP Royal Royal Elementor Addons allows Server Side Request Forgery. This issue affects Royal Elementor Addons: from n/a through 1.7.1006.
Title WordPress Royal Elementor Addons plugin <= 1.7.1006 - Server Side Request Forgery (SSRF) vulnerability
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Royal-elementor-addons Royal Elementor Addons
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:45.994Z

Reserved: 2025-02-17T11:51:57.195Z

Link: CVE-2025-26990

cve-icon Vulnrichment

Updated: 2025-04-15T13:49:22.556Z

cve-icon NVD

Status : Modified

Published: 2025-04-15T12:15:21.597

Modified: 2026-04-23T15:26:12.100

Link: CVE-2025-26990

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T10:30:15Z

Weaknesses