Description
Path Traversal: '.../...//' vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows PHP Local File Inclusion.This issue affects ElementInvader Addons for Elementor: from n/a through <= 1.2.6.
Published: 2025-01-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal flaw in the Element Invader Addons for Elementor plugin allows an attacker to include arbitrary local files by manipulating the file path parameter, potentially exposing sensitive data or executing PHP code. The vulnerability is classified as CWE‑22 (Path Traversal) and CWE‑35 (Improper Handling of Relative Path).

Affected Systems

WordPress sites that have installed the Element Invader Addons for Elementor plugin, specifically versions up to and including 1.2.6. No other product versions are mentioned as affected.

Risk and Exploitability

The CVSS score of 7.5 denotes high severity, while a very low EPSS score (<1%) suggests that active exploitation is unlikely at present; the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the most probable attack vector involves a remote attacker submitting a crafted request to the plugin’s endpoint over the web, exploiting the path traversal to trigger a PHP Local File Inclusion that could read files or execute code.

Generated by OpenCVE AI on May 1, 2026 at 21:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Element Invader Addons for Elementor plugin to version 1.2.7 or later to remove the inclusion bug.
  • Immediately disable or remove the plugin from any WordPress site if an upgrade cannot be performed promptly.
  • Restrict web access to the plugin’s internal files using server configuration (e.g., .htaccess rules) or file‑permission hardening to prevent unintended file inclusion.

Generated by OpenCVE AI on May 1, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2995 Path Traversal vulnerability in ElementInvader ElementInvader Addons for Elementor allows PHP Local File Inclusion.This issue affects ElementInvader Addons for Elementor: from n/a through 1.2.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Path Traversal vulnerability in ElementInvader ElementInvader Addons for Elementor allows PHP Local File Inclusion.This issue affects ElementInvader Addons for Elementor: from n/a through 1.2.6. Path Traversal: '.../...//' vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows PHP Local File Inclusion.This issue affects ElementInvader Addons for Elementor: from n/a through <= 1.2.6.
Weaknesses CWE-22
CPEs cpe:2.3:a:elementinvader:elementinvader_addons_for_elementor:*:*:*:*:*:wordpress:*:*
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 15 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Path Traversal vulnerability in ElementInvader ElementInvader Addons for Elementor allows PHP Local File Inclusion.This issue affects ElementInvader Addons for Elementor: from n/a through 1.2.6.
Title WordPress ElementInvader Addons for Elementor plugin <= 1.2.6 - Local File Inclusion vulnerability
Weaknesses CWE-35
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Elementinvader Elementinvader Addons For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:07.130Z

Reserved: 2025-01-07T21:05:06.989Z

Link: CVE-2025-22786

cve-icon Vulnrichment

Updated: 2025-01-15T19:27:16.459Z

cve-icon NVD

Status : Modified

Published: 2025-01-15T16:15:41.440

Modified: 2026-04-23T15:23:36.830

Link: CVE-2025-22786

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T21:45:09Z

Weaknesses