WordPress Plugin Vulnerabilities

Royal Elementor Addons < 1.7.1007 - Admin+ SSRF

Description

The plugin is vulnerable to Server-Side Request Forgery. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.

Affects Plugins

Plugin icon
royal-elementor-addons
Fixed in 1.7.1007

References

CVE
CVE-2025-26990
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/50518a54-16d8-4467-beca-a6b8196ed9b9

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
3.8 (low)

Miscellaneous

Original Researcher
Marek Mikita
Verified
No
WPVDB ID
8fa43b5e-c43a-4720-8ab8-615bdc530310

Timeline

Publicly Published
2025-04-11 (about 10 months ago)
Added
2025-04-17 (about 10 months ago)
Last Updated
2025-04-17 (about 10 months ago)

Other

Published
Title
Published
2025-09-26
Title
Silencesoft RSS Reader <= 0.6 - Unauthenticated Server-Side Request Forgery
Published
2025-05-07
Title
Display Remote Posts Block < 1.1.1 - Authenticated (Contributor+) Server-Side Request Forgery
Published
2024-03-26
Title
Gutenberg Blocks with AI by Kadence WP – Page Builder Features < 3.2.20 - Contributor+ Server-Side Request Forgery
Published
2014-11-30
Title
WordPress <= 4.0 - Server Side Request Forgery (SSRF)
Published
2025-08-26
Title
Chartbeat <= 2.0.7 - Authenticated (Subscriber+) Server-Side Request Forgery