CVE-2026-6229

Name of the Vulnerable Software and Affected Versions Royal Elementor Addons versions prior to 1.7.1058

Description The Royal Elementor Addons plugin for WordPress contains a Server-Side Request Forgery (SSRF) issue. This occurs because the render csv data() function does not sufficiently validate user-supplied URLs, which can be bypassed by including 'docs.google.com/spreadsheets' in a query parameter. These URLs are then used in fopen() calls without blocking internal or private network addresses. Authenticated attackers with Contributor-level access or higher can exploit this to make requests to arbitrary URLs and retrieve sensitive information from internal services.

Recommendations Update the plugin to a version later than 1.7.1057. As a temporary workaround, restrict access to the render csv data() function to minimize the risk of exploitation.