Skip to main content

Hide My Wp Lite

1 CVEs product

Monthly

CVE-2026-13347 HIGH This Week

Arbitrary file read in the Hide My WP Lite WordPress plugin (versions ≤ 1.3) lets unauthenticated attackers disclose any file readable by the web server - including wp-config.php with database credentials and secret keys - by abusing the he_wrapper_js and he_wrapper_css parameters handled by elementor_assets_filter(). Reported by Wordfence and rated CVSS 7.5, the flaw is confidentiality-only but exposes crypto salts and DB secrets that enable deeper compromise. There is no public exploit identified at time of analysis, and exploitation depends on the site also running Elementor with the plugin's 'Hide Elementor' feature enabled.

WordPress Path Traversal Hide My Wp Lite
NVD
CVSS 3.1
7.5
EPSS
0.5%
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary file read in the Hide My WP Lite WordPress plugin (versions ≤ 1.3) lets unauthenticated attackers disclose any file readable by the web server - including wp-config.php with database credentials and secret keys - by abusing the he_wrapper_js and he_wrapper_css parameters handled by elementor_assets_filter(). Reported by Wordfence and rated CVSS 7.5, the flaw is confidentiality-only but exposes crypto salts and DB secrets that enable deeper compromise. There is no public exploit identified at time of analysis, and exploitation depends on the site also running Elementor with the plugin's 'Hide Elementor' feature enabled.

WordPress Path Traversal Hide My Wp Lite
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy