Local File Inclusion Vulnerability in LA-Studio Element Kit for Elementor Plugin
CVE-2026-15338
7.5HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 11 July 2026
What is CVE-2026-15338?
The LA-Studio Element Kit for Elementor plugin for WordPress contains a Local File Inclusion vulnerability that affects all versions up to and including 1.6.1. This flaw allows authenticated attackers with contributor-level access or higher to include and execute arbitrary PHP files on the server through the get_type_template function. The vulnerability arises because the wp_normalize_path function does not adequately prevent path traversal sequences, which can lead to unauthorized access and code execution. Attackers may exploit this vulnerability to bypass access controls, retrieve sensitive information, or execute malicious code from included PHP files.
Affected Version(s)
LA-Studio Element Kit for Elementor 0 <= 1.6.1