CVE-2025-26990: 
WordPress vulnerability analysis and mitigation

Server-Side Request Forgery (SSRF) vulnerability was discovered in WP Royal Royal Elementor Addons affecting versions through 1.7.1006. The vulnerability was publicly disclosed on April 11, 2025, and received the identifier CVE-2025-26990. This security issue affects the WordPress plugin Royal Elementor Addons and allows authenticated administrators to perform Server Side Request Forgery attacks (Patchstack, WPScan).

The vulnerability is classified as CWE-918 (Server-Side Request Forgery) with a CVSS v3.1 Base Score of 4.4 (MEDIUM). The CVSS vector string is CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N, indicating that the vulnerability requires network access, high attack complexity, and high privileges to exploit (NVD).

The vulnerability allows authenticated attackers with Administrator-level access to make web requests to arbitrary locations originating from the web application. This capability can be exploited to query and modify information from internal services, potentially exposing sensitive information (WPScan).

The vulnerability has been fixed in version 1.7.1007 of the Royal Elementor Addons plugin. Users are advised to update to this version or later to remove the vulnerability (Patchstack).