PatchSiren cyber security CVE debrief
CVE-2026-13402 Royal Addons CVE debrief
The Royal Addons for Elementor WordPress plugin before 1.7.1063 has a vulnerability allowing unauthenticated users to retrieve rendered HTML content of private or draft Elementor templates linked from non-public navigation menu items due to insufficient checks on post status and template references in one of its REST endpoints. This issue arises from the plugin's failure to properly validate the post status of menu items and the templates they reference. As a result, attackers can potentially access sensitive content by exploiting this vulnerability. Users of the Royal Addons for Elementor WordPress plugin, especially those with private or draft Elementor templates, should be aware of this vulnerability and take necessary actions to protect their sites. It is recommended to update the plugin to version 1.7.1063 or later and review the plugin's configuration to ensure proper access controls are in place.
- Vendor
- Royal Addons
- Product
- Royal Addons for Elementor
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of the Royal Addons for Elementor WordPress plugin, especially those with private or draft Elementor templates, should be aware of this vulnerability and take necessary actions to protect their sites.
Technical summary
The Royal Addons for Elementor WordPress plugin before 1.7.1063 does not properly validate the post status of menu items or the templates they reference in one of its REST endpoints. This oversight allows unauthenticated users to access and retrieve the rendered HTML content of private or draft Elementor templates that are linked from non-public navigation menu items. The vulnerability exists because the plugin fails to check the post status of these menu items and templates, potentially exposing sensitive content.
Defensive priority
Medium-High
Recommended defensive actions
- Update the Royal Addons for Elementor WordPress plugin to version 1.7.1063 or later.
- Review and update the plugin's configuration to ensure proper access controls are in place.
- Monitor for any suspicious activity related to the plugin's REST endpoints.
- Verify plugin version and check for updates.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-07-17T07:16:38.120Z and has not been modified since then. The NVD entry is currently in the 'Received' status. Limited information is available about the vulnerability, and further investigation is recommended. The Royal Addons for Elementor WordPress plugin before 1.7.1063 does not check the post status of menu items or the templates they reference in one of its REST endpoints, allowing unauthenticated users to retrieve the rendered HTML content of private or draft Elementor templates linked from non-public navigation menu items. Evidence limits suggest verifying plugin version, checking for updates, and monitoring for suspicious activity.
Official resources
-
CVE-2026-13402 CVE record
CVE.org
-
CVE-2026-13402 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T07:16:38.120Z and has not been modified since then. The NVD entry is currently in the 'Received' status.