CVE-2026-8118: CWE-73 External Control of File Name or Path in wproyal Royal Addons for Elementor – Addons and Templates Kit for Elementor
The Royal Addons for Elementor plugin for WordPress versions 1.7.1058 through 1.7.1059 contains a vulnerability allowing authenticated users with Contributor-level access or higher to read arbitrary files on the server. This occurs because the wpr_get_csv_handle() helper function improperly handles a user-controlled URL parameter without sufficient validation, enabling file read operations on any file accessible by the PHP process.
AI Analysis
Technical Summary
CVE-2026-8118 is an arbitrary file read vulnerability in the Royal Addons for Elementor – Addons and Templates Kit for Elementor WordPress plugin. Introduced in version 1.7.1058 as part of a patch for a previous vulnerability (CVE-2026-6229), the wpr_get_csv_handle() helper function falls back to using is_readable() and fopen() on the attacker-controlled settings.table_upload_csv.url parameter when the input does not parse as an HTTP URL. This fallback lacks allow-listing, directory traversal prevention, and file extension checks, allowing authenticated users with Contributor-level privileges or higher to save a crafted wpr-data-table widget via Elementor's save_builder endpoint. The rendered preview then discloses the contents of any file readable by the PHP process, including sensitive files such as wp-config.php.
Potential Impact
An attacker with Contributor-level or higher access can read arbitrary files on the server that the PHP process can access. This can lead to disclosure of sensitive configuration files and potentially other sensitive data, compromising confidentiality. There is no impact on integrity or availability reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict Contributor-level access to trusted users only and monitor for suspicious activity related to the wpr-data-table widget. Avoid using affected plugin versions if possible.
CVE-2026-8118: CWE-73 External Control of File Name or Path in wproyal Royal Addons for Elementor – Addons and Templates Kit for Elementor
Description
The Royal Addons for Elementor plugin for WordPress versions 1.7.1058 through 1.7.1059 contains a vulnerability allowing authenticated users with Contributor-level access or higher to read arbitrary files on the server. This occurs because the wpr_get_csv_handle() helper function improperly handles a user-controlled URL parameter without sufficient validation, enabling file read operations on any file accessible by the PHP process.
CVSS v3.1
Score 6.5medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-8118 is an arbitrary file read vulnerability in the Royal Addons for Elementor – Addons and Templates Kit for Elementor WordPress plugin. Introduced in version 1.7.1058 as part of a patch for a previous vulnerability (CVE-2026-6229), the wpr_get_csv_handle() helper function falls back to using is_readable() and fopen() on the attacker-controlled settings.table_upload_csv.url parameter when the input does not parse as an HTTP URL. This fallback lacks allow-listing, directory traversal prevention, and file extension checks, allowing authenticated users with Contributor-level privileges or higher to save a crafted wpr-data-table widget via Elementor's save_builder endpoint. The rendered preview then discloses the contents of any file readable by the PHP process, including sensitive files such as wp-config.php.
Potential Impact
An attacker with Contributor-level or higher access can read arbitrary files on the server that the PHP process can access. This can lead to disclosure of sensitive configuration files and potentially other sensitive data, compromising confidentiality. There is no impact on integrity or availability reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict Contributor-level access to trusted users only and monitor for suspicious activity related to the wpr-data-table widget. Avoid using affected plugin versions if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-05-07T16:50:03.874Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a34df99f198dc38c19de749
Added to database: 6/19/2026, 6:20:09 AM
Last enriched: 6/19/2026, 6:35:40 AM
Last updated: 6/19/2026, 7:42:37 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.