CVE-2026-6229
Published: 02 May 2026
Summary
CVE-2026-6229 is a high-severity SSRF (CWE-918) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to, and including, 1.7.1057. The vulnerability arises from insufficient validation of user-supplied URLs in the render_csv_data() function, which can be bypassed by including 'docs.google.com/spreadsheets' in a query parameter. These URLs are subsequently used in fopen() calls without blocking internal or private network addresses.
Authenticated attackers with Contributor-level access and above can exploit this vulnerability to make requests to arbitrary URLs and retrieve sensitive information from internal services. The CVSS score is 7.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), and it is associated with CWE-918 (Server-Side Request Forgery).
The provided references link to the plugin's source code on the WordPress plugins trac repository, specifically lines 1832, 1873, 1918, and 2075 in modules/data-table/widgets/wpr-data-table.php from tag 1.7.1049, as well as line 1832 in the trunk version.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26757
Vulnerability details
The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.7.1057. This is due to insufficient validation of user-supplied URLs in the render_csv_data() function, which can be bypassed by including 'docs.google.com/spreadsheets'…
more
in a query parameter, and the subsequent use of these URLs in fopen() calls without blocking internal or private network addresses. This makes it possible for authenticated attackers, with Contributor-level access and above, to make requests to arbitrary URLs and retrieve sensitive information from internal services.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF vulnerability in public-facing WordPress plugin directly enables exploitation of the application (T1190); ability to issue requests to arbitrary internal/private URLs facilitates network service discovery on internal hosts (T1046).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the insufficient validation of user-supplied URLs in render_csv_data() by requiring checks to prevent SSRF exploitation via fopen() to arbitrary or internal addresses.
Requires timely identification, reporting, and correction of the SSRF flaw in Royal Elementor Addons versions up to 1.7.1057, preventing exploitation.
Enforces approved information flow authorizations to block unvalidated URLs from reaching internal or private network services during SSRF attempts.