CVE-2026-2373 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Royal Addons for Elementor – Addons and Templates Kit for Elementor WordPress plugin, versions up to and including 1.7.1049. The vulnerability arises from the get_main_query_args() function, which fails to enforce proper authorization checks when querying posts. This flaw allows unauthenticated attackers to retrieve contents of non-public custom post types, including sensitive data such as Contact Form 7 submissions and WooCommerce coupons. The root cause is insufficient restrictions on which posts can be included in queries, leading to unauthorized information exposure. The vulnerability is remotely exploitable over the network without any privileges or user interaction, making it accessible to any attacker aware of the flaw. The CVSS v3.1 base score is 5.3 (medium), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network attack vector, low attack complexity, no privileges or user interaction required, unchanged scope, and limited confidentiality impact. No integrity or availability impacts are noted. No patches or known exploits are currently available, but the vulnerability poses a risk to WordPress sites using this plugin, especially those handling sensitive customer data or e-commerce transactions.

The primary impact of CVE-2026-2373 is unauthorized disclosure of sensitive information stored in non-public custom post types within WordPress sites using the affected plugin. This can include private customer data such as contact form submissions and coupon codes, which may be leveraged for fraud, phishing, or further attacks. Confidentiality is compromised, potentially damaging customer trust and violating data protection regulations such as GDPR or CCPA. Although the vulnerability does not affect data integrity or availability, the exposure of sensitive information can have significant reputational and financial consequences for organizations. E-commerce sites using WooCommerce are particularly at risk due to exposure of coupon codes, which could lead to financial loss. Since exploitation requires no authentication or user interaction, the attack surface is broad, increasing the likelihood of opportunistic scanning and data harvesting. Organizations worldwide relying on this plugin for WordPress content management and e-commerce functionality face moderate risk until mitigations or patches are applied.

To mitigate CVE-2026-2373, organizations should first verify if they are using the Royal Addons for Elementor plugin version 1.7.1049 or earlier. Immediate steps include disabling or removing the vulnerable plugin if feasible. If removal is not possible, restrict access to WordPress REST API endpoints and custom post types by implementing strict access controls and authentication mechanisms at the web server or application firewall level. Employ WordPress security plugins that can enforce role-based access control and limit exposure of sensitive post types. Monitor web server logs for unusual access patterns targeting the plugin’s query functions. Regularly update the plugin once the vendor releases a patch addressing the authorization flaw. Additionally, review and minimize the storage of sensitive data in custom post types where possible, and ensure backups are securely stored. Educate site administrators on the risks of installing unverified plugins and maintain a robust patch management process for WordPress environments.