The Royal Elementor Addons plugin for WordPress contains an SSRF vulnerability (CWE-918) due to improper validation of URLs passed to the render_csv_data() function. Specifically, attackers can bypass URL validation by including 'docs.google.com/spreadsheets' in query parameters, enabling fopen() calls to arbitrary URLs without blocking internal or private network addresses. This allows authenticated users with Contributor-level permissions or higher to make server-side requests to arbitrary URLs, potentially exposing sensitive internal information. The vulnerability affects versions up to 1.7.1057. The CVSS 3.1 base score is 7.2 (high severity), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and partial confidentiality and integrity impact. No patch or official fix has been published, and no known exploits have been reported.

An authenticated attacker with Contributor-level access or higher can exploit this SSRF vulnerability to make arbitrary HTTP requests from the server hosting the vulnerable plugin. This can lead to unauthorized access to sensitive information from internal or private network services that are otherwise inaccessible externally. The vulnerability impacts confidentiality and integrity but does not affect availability. There are no known active exploits in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Contributor-level user permissions to trusted users only and monitor for suspicious activity related to URL inputs in the plugin. Avoid exposing sensitive internal services to the network accessible by the web server. Follow vendor channels for updates on patches or official mitigations.