CVE-2026-2373 in Royal Addons for Elementor Plugin
Summary
by MITRE • 03/17/2026
The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.1049 via the get_main_query_args() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract contents of non-public custom post types, such as Contact Form 7 submissions or WooCommerce coupons.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/22/2026
The vulnerability identified as CVE-2026-2373 affects the Royal Addons for Elementor WordPress plugin, specifically targeting versions up to and including 1.7.1049. This issue manifests as an information exposure vulnerability within the plugin's get_main_query_args() function, which fails to implement adequate access controls for post retrieval operations. The flaw stems from insufficient validation mechanisms that allow unauthorized access to sensitive content that should remain restricted to authorized users only.
The technical implementation of this vulnerability resides in how the plugin processes query arguments for retrieving posts through the get_main_query_args() function. When processing requests, the function does not properly validate whether the requesting user has appropriate permissions to access specific post types. This oversight creates a path where unauthenticated attackers can manipulate query parameters to access non-public custom post types that contain sensitive information. The vulnerability specifically impacts custom post types such as Contact Form 7 submissions and WooCommerce coupons, which typically contain confidential data that should be protected from public access.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables attackers to extract potentially sensitive business data including customer contact information from contact forms and promotional codes from coupon systems. This exposure represents a significant risk to organizations relying on these plugins for their WordPress websites, as it allows unauthorized parties to harvest valuable data without authentication. The vulnerability affects the principle of least privilege and demonstrates a failure in access control implementation that violates fundamental security principles.
Security professionals should recognize this vulnerability as a classic example of inadequate input validation and access control enforcement, aligning with CWE-200 (Information Exposure) and CWE-284 (Improper Access Control) categories. The attack vector leverages the principle of privilege escalation through improper authorization checks, which maps to ATT&CK technique T1213.002 (External Remote Services) and T1566.001 (Phishing). Organizations should immediately implement mitigations including plugin version updates, implementation of additional access controls, and monitoring for unauthorized access attempts to prevent exploitation of this vulnerability.
The remediation approach requires immediate patching of the Royal Addons for Elementor plugin to versions that address the access control flaw in the get_main_query_args() function. Additionally, administrators should conduct comprehensive security audits of their WordPress installations to identify other potential vulnerabilities in similar plugins. Network monitoring should be enhanced to detect anomalous query patterns that might indicate exploitation attempts. The vulnerability highlights the critical importance of proper access control implementation in web applications and serves as a reminder of the need for thorough security testing of third-party plugins before deployment in production environments.