Arbitrary File Read Vulnerability in Hide My WP Lite Plugin for WordPress
CVE-2026-13347

7.5HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
10 July 2026

What is CVE-2026-13347?

The Hide My WP Lite plugin for WordPress contains a vulnerability that allows unauthorized access to arbitrary files on the server. This issue arises from the improper handling of user-supplied input in the he_wrapper_js and he_wrapper_css query parameters, which are processed by the elementor_assets_filter() function. The function directly appends this input to ABSPATH and utilizes file_get_contents() to retrieve the file contents, bypassing essential security checks such as path traversal validation, allow-listing, and extension verification. Although wp_kses_post() is employed to sanitize the output, it fails to prevent the disclosure of sensitive file information. This vulnerability can be exploited by an unauthenticated attacker if the Elementor plugin is active and the 'Hide Elementor' feature is enabled, potentially exposing sensitive files like wp-config.

Affected Version(s)

Hide My WP Lite 0 <= 1.3

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nabil Irawan
.