The Royal Addons for Elementor plugin is vulnerable to arbitrary file read when the CSV source URL is supplied by an attacker. The helper function falls back to opening any path supplied in the widget settings when the value does not parse as a URL, with no validation or allow‑list. An authenticated user with Contributor or higher privileges can save a crafted widget via Elementor’s save_builder endpoint and the rendered preview will expose the contents of any file readable by the PHP process, including critical files such as wp-config.php. This direct read of sensitive configuration data compromises confidentiality of files readable by PHP and can be a step toward further exploitation.

The flaw affects the Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress in versions 1.7.1058 through 1.7.1059. No other vendors or products are listed as affected.

The CVSS score of 6.5 indicates moderate severity; the EPSS score is not available, so the likelihood of exploitation is unclear, and the vulnerability is not listed in CISA’s KEV catalog. The vulnerability is only exploitable by authenticated users with Contributor or higher capabilities, and the attack path requires use of Elementor’s save_builder endpoint to deploy a malicious widget. The attacker would then trigger a preview rendering to read the file contents. Consequently, the risk is primarily to the confidentiality of files readable by PHP in the hosting environment.