CVE-2026-8118
Received Received - Intake
Arbitrary File Read in Royal Addons for Elementor

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: Wordfence

Description
The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Arbitrary File Read in versions 1.7.1058 through 1.7.1059. This is due to the wpr_get_csv_handle() helper (introduced in version 1.7.1058 as part of the patch for CVE-2026-6229) falling back to is_readable() and fopen($source, 'r') on the attacker-controlled settings.table_upload_csv.url value when it does not parse as an HTTP URL, with no allow-list, traversal block, or extension check. This makes it possible for authenticated attackers, with Contributor-level access and above, to save a crafted wpr-data-table widget through Elementor's save_builder endpoint and have the rendered preview return the line-by-line contents of any file readable by the PHP process, including wp-config.php.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-8118
EUVD
EUVD-2026-37986
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
royal_addons elementor_addons_and_templates_kit From 1.7.1058 (inc) to 1.7.1059 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Royal Addons for Elementor plugin for WordPress, specifically in versions 1.7.1058 through 1.7.1059. It is an Arbitrary File Read issue caused by the wpr_get_csv_handle() helper function. This function improperly handles the attacker-controlled settings.table_upload_csv.url value by falling back to reading files without proper validation, such as allow-listing, traversal blocking, or extension checks. As a result, authenticated users with Contributor-level access or higher can craft a wpr-data-table widget that, when saved and previewed, reveals the contents of any file readable by the PHP process, including sensitive files like wp-config.php.

Impact Analysis

This vulnerability allows attackers with Contributor-level access or above to read arbitrary files on the server. This can lead to exposure of sensitive information such as database credentials, configuration files, or other critical data stored on the server. Such information disclosure can facilitate further attacks, compromise the security of the website, and potentially lead to data breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8118. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart