CVE-2026-2373 - Vulnerability Details

- Royal Addons for Elementor – Addons and Templates Kit for Elementor <= 1.7.1049 - Missing Authorization to Unauthenticated Custom Post Type Contents Exposure

Description

The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.1049 via the get_main_query_args() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract contents of non-public custom post types, such as Contact Form 7 submissions or WooCommerce coupons.

Published: 2026-03-17

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to information exposure because its get_main_query_args() function does not enforce proper authorization on which custom post types can be retrieved. As a result, unauthenticated attackers can extract content from non‑public custom post types, such as Contact Form 7 submissions or WooCommerce coupons. This represents a confidentiality breach that could expose user data, marketing campaign details, or other sensitive information that was intended to remain private.

Affected Systems

This vulnerability affects all installations of the wproyal:Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin with version numbers up to and including 1.7.1049. No other vendors or products are listed as affected.

Risk and Exploitability

With an overall CVSS score of 5.3 the vulnerability is rated medium in severity. The EPSS score is not available and the vulnerability is not currently listed in the CISA KEV catalogue. Because the flaw can be exploited without any authentication, any visitor to the site can trigger the get_main_query_args() function and retrieve non‑public content, making the risk moderate to high for sites that use such custom post types. No special environmental conditions are required for exploitation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

wproyal

Royal Addons for Elementor – Addons and Templates Kit for Elementor

unaffected

Version	Status	Constraints
`*`	affected	≤ 1.7.1049

No data.

Vendor Product Confidence Versions

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Wproyal

Royal Addons For Elementor – Addons And Templates Kit For Elementor

100%

Version	Status	Scheme	Platform
`[0,1.7.1049]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply an updated version of Royal Addons for Elementor – Addons and Templates Kit for Elementor that is newer than 1.7.1049.

Generated by OpenCVE AI on March 17, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3475656/
https://www.wordfence.com/threat-intel/vulnerabilities/id/c4192a7f-b962-46f9-a524-7271ed6f4917?source=cve

History

Tue, 17 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 17 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress Wproyal Wproyal royal Addons For Elementor – Addons And Templates Kit For Elementor
Vendors & Products		Wordpress Wordpress wordpress Wproyal Wproyal royal Addons For Elementor – Addons And Templates Kit For Elementor

Tue, 17 Mar 2026 04:15:00 +0000

Type	Values Removed	Values Added
Description		The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.1049 via the get_main_query_args() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract contents of non-public custom post types, such as Contact Form 7 submissions or WooCommerce coupons.
Title		Royal Addons for Elementor – Addons and Templates Kit for Elementor <= 1.7.1049 - Missing Authorization to Unauthenticated Custom Post Type Contents Exposure
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/changeset/3475656/ https://www.wordfence.com/threat-intel/vulnerabilities/id/c4192a7f-b962-46f9-a524-7271ed6f4917?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Wordpress Wordpress

Wproyal Royal Addons For Elementor – Addons And Templates Kit For Elementor

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-03-17T03:36:25.155Z

Updated: 2026-03-17T13:25:15.811Z

Reserved: 2026-02-11T20:47:09.620Z

Link: CVE-2026-2373

Vulnrichment

Updated: 2026-03-17T13:25:12.267Z

NVD

Status : Awaiting Analysis

Published: 2026-03-17T04:16:14.730

Modified: 2026-03-17T14:20:01.670

Link: CVE-2026-2373

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-24T10:49:35Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object