WordPress Plugin Vulnerabilities

Element Pack Addons for Elementor < 8.3.18 - Authenticated (Contributor+) Arbitrary File Read

Description

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 8.3.17 via the SVG widget and a lack of sufficient file validation in the 'render_svg' function. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

Affects Plugins

References

Classification

Type
LFI
OWASP top 10
CWE

Miscellaneous

Original Researcher
Chiao-Lin Yu (Steven Meow)
Verified
No

Timeline

Publicly Published
2026-02-14 (about 4 months ago)
Added
2026-02-14 (about 4 months ago)
Last Updated
2026-02-15 (about 4 months ago)

Other