Skip to main content

Element Pack Pro

1 CVEs product

Monthly

CVE-2026-40721 HIGH This Week

Local file inclusion in the Element Pack Pro WordPress plugin (versions 9.0.6 and earlier) allows authenticated contributors to read or include arbitrary server-side files via insufficient validation of a file path parameter, mapped to CWE-98 (improper control of filename for include/require). The flaw was reported through Patchstack and affects bdthemes' Element Pack Pro, a widely deployed Elementor add-on; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Information Disclosure LFI Element Pack Pro
NVD
CVSS 3.1
7.5
EPSS
0.4%
EPSS 0% CVSS 7.5
HIGH This Week

Local file inclusion in the Element Pack Pro WordPress plugin (versions 9.0.6 and earlier) allows authenticated contributors to read or include arbitrary server-side files via insufficient validation of a file path parameter, mapped to CWE-98 (improper control of filename for include/require). The flaw was reported through Patchstack and affects bdthemes' Element Pack Pro, a widely deployed Elementor add-on; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Information Disclosure LFI +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy