CVE-2026-2373
Received Received - Intake
Information Exposure in Royal Addons for Elementor Plugin Allows Data Leak

Publication date: 2026-03-17

Last updated on: 2026-03-17

Assigner: Wordfence

Description
The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.1049 via the get_main_query_args() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract contents of non-public custom post types, such as Contact Form 7 submissions or WooCommerce coupons.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-17
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2373
EUVD
EUVD-2026-12537
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
royal_addons royal_elementor_addons to 1.7.1049 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Royal Addons for Elementor – Addons and Templates Kit for Elementor WordPress plugin, in all versions up to and including 1.7.1049. It is an Information Exposure issue caused by insufficient restrictions in the get_main_query_args() function. This flaw allows unauthenticated attackers to access and extract contents of non-public custom post types, such as Contact Form 7 submissions or WooCommerce coupons.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information stored in non-public custom post types within the WordPress site. For example, attackers could extract data from Contact Form 7 submissions, which may contain personal user information, or WooCommerce coupons, potentially leading to misuse or fraud. Since the vulnerability can be exploited without authentication, it poses a risk of data leakage and privacy breaches.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves the Royal Addons for Elementor plugin for WordPress, specifically versions up to and including 1.7.1049. Detection involves identifying if this vulnerable plugin version is installed on your WordPress site.

You can detect the presence of the vulnerable plugin version by checking the installed plugins and their versions on your WordPress installation.

  • Use WP-CLI to list installed plugins and their versions: wp plugin list
  • Check the plugin version directly in the WordPress admin dashboard under Plugins.
  • Look for suspicious access patterns or requests attempting to exploit the get_main_query_args() function, which may appear as unauthorized attempts to access non-public custom post types.

No specific commands or network detection signatures are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to update the Royal Addons for Elementor plugin to a version later than 1.7.1049, as all versions up to and including 1.7.1049 are vulnerable.

Although the changeset for version 1.7.1050 does not explicitly mention security fixes related to this CVE, updating to the latest version is recommended to ensure you have the most recent patches and improvements.

  • Backup your WordPress site and database before performing any updates.
  • Update the plugin via the WordPress admin dashboard or using WP-CLI: wp plugin update royal-elementor-addons
  • Restrict access to sensitive custom post types by implementing additional access controls or security plugins if immediate update is not possible.

Monitor your site logs for any suspicious activity related to unauthorized data access attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2373. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart