A Server-Side Request Forgery (SSRF) vulnerability in the Royal Elementor Addons plugin allows authenticated attackers to perform unauthorized requests on behalf of the server.

The plugin is susceptible to Server-Side Request Forgery (SSRF). This requires an authenticated user to trigger the vulnerable function, allowing the attacker to force the server to make requests to internal or external resources.

With a CVSS score of 7.2, this high-severity vulnerability could allow an attacker to probe internal network infrastructure, bypass firewalls, or interact with internal APIs that are not exposed to the public internet. This can lead to unauthorized data access and reconnaissance, potentially facilitating further attacks within the network.

Immediate Action: Update the Royal Elementor Addons plugin to the latest version as soon as a security patch is provided by the vendor.

Proactive Monitoring: Monitor web server logs for suspicious outbound requests originating from the server to internal IP ranges.

Compensating Controls: Utilize a Web Application Firewall (WAF) to block requests containing suspicious parameters or targeting sensitive internal endpoints.

Public Exploit Available: False

While this vulnerability requires authentication, it remains a serious concern for WordPress administrators. It is recommended to restrict administrative or plugin-related capabilities to trusted users only and to apply the security update immediately upon its release to close the SSRF vector.