The Royal Addons for Elementor WordPress plugin before 1.7.1063 does not check the post status of menu items or the templates they reference in one of its REST endpoints, allowing unauthenticated users to retrieve the rendered HTML content of private or draft Elementor templates linked from non-public navigation menu items.
Metrics
Affected Vendors & Products
References
History
Fri, 17 Jul 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-200 | |
| Metrics |
cvssV3_1
|
Fri, 17 Jul 2026 06:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Royal Addons for Elementor WordPress plugin before 1.7.1063 does not check the post status of menu items or the templates they reference in one of its REST endpoints, allowing unauthenticated users to retrieve the rendered HTML content of private or draft Elementor templates linked from non-public navigation menu items. | |
| Title | Royal Elementor Addons < 1.7.1063 - Unauthenticated Private Mega Menu Template Disclosure | |
| References |
|
Status: PUBLISHED
Assigner: WPScan
Published:
Updated: 2026-07-17T12:56:50.988Z
Reserved: 2026-06-26T08:45:52.657Z
Link: CVE-2026-13402
Updated: 2026-07-17T12:56:38.875Z
No data.
No data.
OpenCVE Enrichment
No data.