Skip to main content

Hide My WP Lite CVE-2026-13347

| EUVDEUVD-2026-42831 HIGH
Path Traversal (CWE-22)
2026-07-10 Wordfence GHSA-3335-cc43-jrmm
7.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.9 MEDIUM

Network-reachable unauthenticated read (AV:N/PR:N) but AC:H because a non-default Elementor + 'Hide Elementor' configuration is required; confidentiality-only impact (C:H, I/A:N).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 10, 2026 - 08:29 vuln.today
CVE Published
Jul 10, 2026 - 06:51 nvd
HIGH 7.5

DescriptionCVE.org

The Hide My WP Lite plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 1.3 via the he_wrapper_js and he_wrapper_css query parameters processed by the elementor_assets_filter() function. This is due to the function concatenating user-supplied input directly onto ABSPATH and passing the result to file_get_contents() without any path traversal validation, allow-list, realpath containment, or extension check; the result is then echoed in the HTTP response. Although the output is passed through wp_kses_post(), that function only filters HTML tags and does not prevent disclosure of arbitrary file contents. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the affected site's server (such as wp-config). Note: The exploit requires the Elementor plugin and the 'Hide Elementor' feature to be enabled.

AnalysisAI

Arbitrary file read in the Hide My WP Lite WordPress plugin (versions ≤ 1.3) lets unauthenticated attackers disclose any file readable by the web server - including wp-config.php with database credentials and secret keys - by abusing the he_wrapper_js and he_wrapper_css parameters handled by elementor_assets_filter(). Reported by Wordfence and rated CVSS 7.5, the flaw is confidentiality-only but exposes crypto salts and DB secrets that enable deeper compromise. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WP site with Hide My WP Lite + Elementor
Delivery
Send GET with he_wrapper_css=../../../wp-config.php
Exploit
elementor_assets_filter() concatenates onto ABSPATH
Execution
file_get_contents() reads file outside webroot
Persist
Contents echoed in HTTP response
Impact
Harvest DB credentials and auth salts

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to have both the Elementor plugin installed and the Hide My WP Lite plugin's 'Hide Elementor' feature explicitly enabled - this is a non-default configuration and is the primary factor limiting real-world reach. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N = 7.5) reflects a high-confidentiality, network-reachable, unauthenticated read with no integrity or availability impact - consistent with the description of an unauthenticated arbitrary file read. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a single crafted GET request to a WordPress site running Hide My WP Lite ≤ 1.3 with Elementor and 'Hide Elementor' enabled, setting he_wrapper_js (or he_wrapper_css) to a traversal payload such as '../../../wp-config.php'. The function reads the file relative to ABSPATH and echoes its contents in the HTTP response, handing the attacker the database credentials and secret salts. …
Remediation No vendor-released patch identified at time of analysis - versions up to and including 1.3 are affected and no fixed version was provided in the source data, so administrators should monitor the plugin's WordPress.org page and the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/e044c51c-40e0-4d33-8921-616d59e0e0d8?source=cve) for an update beyond 1.3 and apply it immediately when released. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress sites running Hide My WP Lite ≤v1.3 with Elementor; disable the plugin immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13347 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy