Arbitrary File Read Vulnerability in Hide My WP Lite Plugin for WordPress
CVE-2026-13347
What is CVE-2026-13347?
The Hide My WP Lite plugin for WordPress contains a vulnerability that allows unauthorized access to arbitrary files on the server. This issue arises from the improper handling of user-supplied input in the he_wrapper_js and he_wrapper_css query parameters, which are processed by the elementor_assets_filter() function. The function directly appends this input to ABSPATH and utilizes file_get_contents() to retrieve the file contents, bypassing essential security checks such as path traversal validation, allow-listing, and extension verification. Although wp_kses_post() is employed to sanitize the output, it fails to prevent the disclosure of sensitive file information. This vulnerability can be exploited by an unauthenticated attacker if the Elementor plugin is active and the 'Hide Elementor' feature is enabled, potentially exposing sensitive files like wp-config.
Affected Version(s)
Hide My WP Lite 0 <= 1.3