Arbitrary File Read Vulnerability in Royal Addons for Elementor Plugin by WordPress
CVE-2026-8118

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Royal Addons For Elementor – Addons And Templates Kit For Elementor
Vendor: CVE Published:; 19 June 2026

What is CVE-2026-8118?

The Royal Addons for Elementor plugin for WordPress is susceptible to an Arbitrary File Read vulnerability due to improper handling of user-controlled input in the wpr_get_csv_handle() function. This issue arises from the fallback mechanism that fails to adequately validate the settings.table_upload_csv.url parameter, allowing authenticated users with Contributor-level permissions or higher to exploit the plugin. By manipulating the wpr-data-table widget and utilizing Elementor's save_builder endpoint, attackers can retrieve the contents of any file accessible by the PHP process, including sensitive files like wp-config.php, posing significant security risks to affected installations.

Affected Version(s)

Royal Addons for Elementor – Addons and Templates Kit for Elementor 1.7.1058 <= 1.7.1059

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3532747/roya...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
May 7, 2026

Credit

Jack Taylor

CVE-2026-8118 Data

JSON