Cyber Resilience

CVE-2026-6229

High

Published: 02 May 2026

Published
02 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0002 6.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6229 is a high-severity SSRF (CWE-918) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to, and including, 1.7.1057. The vulnerability arises from insufficient validation of user-supplied URLs in the render_csv_data() function, which can be bypassed by including 'docs.google.com/spreadsheets' in a query parameter. These URLs are subsequently used in fopen() calls without blocking internal or private network addresses.

Authenticated attackers with Contributor-level access and above can exploit this vulnerability to make requests to arbitrary URLs and retrieve sensitive information from internal services. The CVSS score is 7.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), and it is associated with CWE-918 (Server-Side Request Forgery).

The provided references link to the plugin's source code on the WordPress plugins trac repository, specifically lines 1832, 1873, 1918, and 2075 in modules/data-table/widgets/wpr-data-table.php from tag 1.7.1049, as well as line 1832 in the trunk version.

EU & UK References

Vulnerability details

The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.7.1057. This is due to insufficient validation of user-supplied URLs in the render_csv_data() function, which can be bypassed by including 'docs.google.com/spreadsheets'…

more

in a query parameter, and the subsequent use of these URLs in fopen() calls without blocking internal or private network addresses. This makes it possible for authenticated attackers, with Contributor-level access and above, to make requests to arbitrary URLs and retrieve sensitive information from internal services.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

SSRF vulnerability in public-facing WordPress plugin directly enables exploitation of the application (T1190); ability to issue requests to arbitrary internal/private URLs facilitates network service discovery on internal hosts (T1046).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13924Shared CWE-918
CVE-2026-42860Shared CWE-918
CVE-2025-25785Shared CWE-918
CVE-2024-53705Shared CWE-918
CVE-2026-5418Shared CWE-918
CVE-2026-45082Shared CWE-918
CVE-2026-7065Shared CWE-918
CVE-2025-55150Shared CWE-918
CVE-2025-28091Shared CWE-918
CVE-2025-1849Shared CWE-918

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the insufficient validation of user-supplied URLs in render_csv_data() by requiring checks to prevent SSRF exploitation via fopen() to arbitrary or internal addresses.

prevent

Requires timely identification, reporting, and correction of the SSRF flaw in Royal Elementor Addons versions up to 1.7.1057, preventing exploitation.

prevent

Enforces approved information flow authorizations to block unvalidated URLs from reaching internal or private network services during SSRF attempts.

References