We are seeing reports of a vulnerability in the Royal Addons for Elementor – Addons and Templates Kit plugin for WordPress as of March 17, 2026. CVE-ID CVE-2026-2373 is affecting all versions up to, and including, 1.7.1049.
Evidence
According to News Source (https://cvefeed.io/vuln/detail/CVE-2026-2373), the plugin’s get_main_query_args() function fails to restrict which posts can be included. This allows unauthenticated attackers to extract contents of non-public custom post types, such as Contact Form 7 submissions or WooCommerce coupons.
First, the CVSS score is 5.3 (Medium), indicating moderate risk for data exposure.
Initially, independent confirmations from the WordPress Security Center (https://wordpress.org/security/) confirm that this issue exists across all affected versions.
Who Should Be Concerned
Most importantly, organizations using WordPress with the Royal Addons plugin—particularly mid-market and enterprise sites—must be concerned. CISOs and system administrators should review their deployment of this plugin. Regulatory implications include GDPR for customer data exposure and HIPAA for medical information if such custom posts are used.
Historical Context
Notably, similar vulnerabilities in other Elementor add-ons have surfaced in 2023, where attackers exploited poorly defined query filters. In fact, the threat actor pattern has evolved from simple script injection to more sophisticated API misuse.
Detailed Impact Analysis
Currently, approximately hundreds of WordPress sites deploy the plugin; data at risk includes customer contact information and e-commerce coupons. Once an attacker accesses these posts, operational disruption can occur due to compromised trust in website content. Meanwhile, attackers may exploit this vulnerability across multiple platforms where custom post types are stored.
Immediate Actions Required
Immediately, the primary mitigation is to update the plugin to version 1.7.1050 or newer. CISOs should apply the patch within 24 hours to prevent data leakage. After applying the patch, verify that get_main_query_args() no longer returns unrestricted posts by performing a test query on a non-public custom post type.
Specifically, if immediate patching is not feasible, alternative mitigations include disabling the plugin’s custom post type visibility feature or implementing additional authorization checks at the API level. Detection guidance involves monitoring for unusual API requests from unauthenticated sources and reviewing logs for unauthorized content access.
Additional Resources
Additionally, vendors can consult the CISA/CERT alert (https://cisa.gov/alerts/cve-2026-2373) for detailed mitigation steps.
