Description
The Xpro Elementor Addons - Pro plugin for WordPress is vulnerable to Arbitrary File Reading in all versions up to, and including, 1.4.7 via the Draw SVG widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Published: 2026-05-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Xpro Elementor Addons – Pro plugin for WordPress includes an insecure Draw SVG widget that allows authenticated users with Contributor or higher privileges to read arbitrary files from the server. This flaw, identified as CWE‑73, permits disclosure of confidential data such as configuration files, database credentials, or code, potentially enabling further attacks.

Affected Systems

All WPXpro Xpro Elementor Addons – Pro installations running version 1.4.7 or earlier are affected; no further sub‑version details are provided, so any build of the plugin up to and including 1.4.7 remains vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, with no EPSS data available to gauge exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires authenticated access with Contributor or higher permissions, inferred from the description; an attacker would need legitimate login credentials or elevated privileges on the WordPress site to read files.

Generated by OpenCVE AI on May 27, 2026 at 11:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Xpro Elementor Addons – Pro plugin to version 1.4.8 or later, which removes the insecure file‑reading logic.
  • If an update is not immediately available, revoke or limit Contributor role access for all users or enforce stricter permission settings on the plugin’s Draw SVG feature.
  • As a temporary workaround, disable the Draw SVG widget or remove it from the editor until a patch is applied.

Generated by OpenCVE AI on May 27, 2026 at 11:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description The Xpro Elementor Addons - Pro plugin for WordPress is vulnerable to Arbitrary File Reading in all versions up to, and including, 1.4.7 via the Draw SVG widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Title Xpro Elementor Addons - Pro <= 1.4.7 - Authenticated (Contributor+) Arbitrary File Read via Draw SVG
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T14:30:26.615Z

Reserved: 2025-01-30T20:00:15.198Z

Link: CVE-2025-0898

cve-icon Vulnrichment

Updated: 2026-05-27T14:30:07.936Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T11:16:16.633

Modified: 2026-05-27T14:50:47.627

Link: CVE-2025-0898

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T11:45:15Z

Weaknesses