{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2373", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-11T20:47:09.620Z", "datePublished": "2026-03-17T03:36:25.155Z", "dateUpdated": "2026-04-08T17:20:32.228Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:20:32.228Z"}, "affected": [{"vendor": "wproyal", "product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.7.1049", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.1049 via the get_main_query_args() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract contents of non-public custom post types, such as Contact Form 7 submissions or WooCommerce coupons."}], "title": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor <= 1.7.1049 - Missing Authorization to Unauthenticated Custom Post Type Contents Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c4192a7f-b962-46f9-a524-7271ed6f4917?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3475656/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Qu\u1ed1c Huy"}], "timeline": [{"time": "2026-02-11T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-02-11T21:03:05.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-16T15:17:51.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T13:25:07.262434Z", "id": "CVE-2026-2373", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T13:25:15.811Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2373", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-17T13:25:07.262434Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T13:25:12.267Z"}}], "cna": {"title": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor <= 1.7.1049 - Missing Authorization to Unauthenticated Custom Post Type Contents Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Qu\u1ed1c Huy"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "wproyal", "product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.7.1049"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-11T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-02-11T21:03:05.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-16T15:17:51.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c4192a7f-b962-46f9-a524-7271ed6f4917?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3475656/"}], "descriptions": [{"lang": "en", "value": "The Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.1049 via the get_main_query_args() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract contents of non-public custom post types, such as Contact Form 7 submissions or WooCommerce coupons."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-17T03:36:25.155Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2373", "state": "PUBLISHED", "dateUpdated": "2026-03-17T13:25:15.811Z", "dateReserved": "2026-02-11T20:47:09.620Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-17T03:36:25.155Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.1049 via the get_main_query_args() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract contents of non-public custom post types, such as Contact Form 7 submissions or WooCommerce coupons."}, {"lang": "es", "value": "El plugin Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor para WordPress es vulnerable a la exposici\u00f3n de informaci\u00f3n en todas las versiones hasta la 1.7.1049, inclusive, a trav\u00e9s de la funci\u00f3n get_main_query_args() debido a restricciones insuficientes sobre qu\u00e9 publicaciones pueden incluirse. Esto hace posible que atacantes no autenticados extraigan el contenido de tipos de publicaciones personalizadas no p\u00fablicas, como env\u00edos de Contact Form 7 o cupones de WooCommerce."}], "id": "CVE-2026-2373", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-17T04:16:14.730", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3475656/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c4192a7f-b962-46f9-a524-7271ed6f4917?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.7.1049]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor", "source": "cna", "vendor": "wproyal"}, "product": "royal_addons_for_elementor_\u2013_addons_and_templates_kit_for_elementor", "vendor": "wproyal"}], "analysis": {"en": {"generated_at": "2026-03-17T05:20:34.132115+00:00", "value": {"mitigation_remediation": ["Apply an updated version of Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor that is newer than 1.7.1049."], "summary": {"action": "Apply Patch", "impact": "Information Exposure"}, "threat_synthesis": {"affected_systems": "This vulnerability affects all installations of the wproyal:Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor plugin with version numbers up to and including 1.7.1049. No other vendors or products are listed as affected. ", "description_and_impact": "The Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to information exposure because its get_main_query_args() function does not enforce proper authorization on which custom post types can be retrieved. As a result, unauthenticated attackers can extract content from non\u2011public custom post types, such as Contact Form 7 submissions or WooCommerce coupons. This represents a confidentiality breach that could expose user data, marketing campaign details, or other sensitive information that was intended to remain private. ", "risk_and_exploitability": "With an overall CVSS score of 5.3 the vulnerability is rated medium in severity. The EPSS score is not available and the vulnerability is not currently listed in the CISA KEV catalogue. Because the flaw can be exploited without any authentication, any visitor to the site can trigger the get_main_query_args() function and retrieve non\u2011public content, making the risk moderate to high for sites that use such custom post types. No special environmental conditions are required for exploitation. "}}}}, "created": "2026-03-17T09:51:57.232439+00:00", "updated": "2026-03-24T10:49:35.553793+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wproyal", "wproyal$PRODUCT$royal_addons_for_elementor_\u2013_addons_and_templates_kit_for_elementor"]}