Skip to main content

La Studio Element Kit For Elementor

4 CVEs product

Monthly

CVE-2026-15338 HIGH This Week

Local File Inclusion in the LA-Studio Element Kit for Elementor WordPress plugin (all versions through 1.6.1) lets authenticated contributors and above coerce the get_type_template function into including arbitrary server-side .php files, enabling access-control bypass, sensitive data disclosure, and full PHP code execution where an attacker can plant a .php file. Reported by Wordfence with a CVSS 3.1 base score of 7.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. The flaw stems from wp_normalize_path being relied upon for path safety even though it only canonicalizes separators and never rejects traversal sequences.

WordPress LFI Path Traversal RCE PHP +2
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-12276 MEDIUM POC PATCH This Month

Unauthenticated account registration bypass in the LA-Studio Element Kit for Elementor WordPress plugin (all versions before 1.6.1) allows remote, unauthenticated attackers to create WordPress user accounts on sites where site-wide registration has been explicitly disabled by the administrator. The vulnerable component is an unauthenticated AJAX action handler that omits the standard WordPress registration-status check, effectively nullifying an administrative security control. A publicly available proof-of-concept exists via WPScan, and a vendor patch is available in version 1.6.1; no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.

WordPress Information Disclosure La Studio Element Kit For Elementor
NVD WPScan
CVSS 3.1
5.3
EPSS
0.1%
CVE-2024-10787 MEDIUM PATCH This Month

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.4 via the 'elementor-template' shortcode due to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass WordPress Information Disclosure La Studio Element Kit For Elementor
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-2249 MEDIUM PATCH This Month

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the LinkWrapper attribute found in several widgets in all versions up to, and including,. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress La Studio Element Kit For Elementor Elementor
NVD
CVSS 3.1
6.4
EPSS
0.1%
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the LA-Studio Element Kit for Elementor WordPress plugin (all versions through 1.6.1) lets authenticated contributors and above coerce the get_type_template function into including arbitrary server-side .php files, enabling access-control bypass, sensitive data disclosure, and full PHP code execution where an attacker can plant a .php file. Reported by Wordfence with a CVSS 3.1 base score of 7.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. The flaw stems from wp_normalize_path being relied upon for path safety even though it only canonicalizes separators and never rejects traversal sequences.

WordPress LFI Path Traversal +4
NVD
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Unauthenticated account registration bypass in the LA-Studio Element Kit for Elementor WordPress plugin (all versions before 1.6.1) allows remote, unauthenticated attackers to create WordPress user accounts on sites where site-wide registration has been explicitly disabled by the administrator. The vulnerable component is an unauthenticated AJAX action handler that omits the standard WordPress registration-status check, effectively nullifying an administrative security control. A publicly available proof-of-concept exists via WPScan, and a vendor patch is available in version 1.6.1; no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.

WordPress Information Disclosure La Studio Element Kit For Elementor
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.4 via the 'elementor-template' shortcode due to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass WordPress Information Disclosure +1
NVD
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the LinkWrapper attribute found in several widgets in all versions up to, and including,. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress La Studio Element Kit For Elementor +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy