Local File Inclusion Vulnerability in LA-Studio Element Kit for Elementor Plugin
CVE-2026-15338

7.5HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
11 July 2026

What is CVE-2026-15338?

The LA-Studio Element Kit for Elementor plugin for WordPress contains a Local File Inclusion vulnerability that affects all versions up to and including 1.6.1. This flaw allows authenticated attackers with contributor-level access or higher to include and execute arbitrary PHP files on the server through the get_type_template function. The vulnerability arises because the wp_normalize_path function does not adequately prevent path traversal sequences, which can lead to unauthorized access and code execution. Attackers may exploit this vulnerability to bypass access controls, retrieve sensitive information, or execute malicious code from included PHP files.

Affected Version(s)

LA-Studio Element Kit for Elementor 0 <= 1.6.1

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

PRISM
.