The Sparkle Elementor Kit plugin (Jakub Glos) contains an improper control of filename for include/require statements. The flaw allows a local file inclusion path to be specified or manipulated by an attacker. This LFI can enable the attacker to read sensitive files or execute PHP code on the server, potentially compromising the integrity and confidentiality of the WordPress installation. The vulnerability is identified as CWE‑98 and can elevate to remote code execution if the included files contain executable code.

All WordPress sites that have installed Sparkle Elementor Kit up to and including version 2.0.9 are susceptible. No later versions are mentioned in the advisory, implying that any release beyond 2.0.9 has likely mitigated the issue.

The CVSS score of 7.5 indicates a high impact severity, while the EPSS score of less than 1% suggests a low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Although the attack likely requires the attacker to influence or trick the plugin to include a specific file path, the local nature of the flaw means that it could be triggered from the web interface if input is not properly sanitized. The combination of a high severity score with a low exploitation probability makes patching a high priority, but the risk remains significant enough to warrant immediate remediation.