The flaw is an improper control of filename in a PHP include/require statement that allows local file inclusion. Attackers can supply file names that the plugin does not validate, enabling them to read arbitrary files or execute code on the host. This can lead to disclosure of sensitive data or arbitrary code execution, effectively giving the attacker control over the site.

The affected product is StylemixThemes Consulting Elementor Widgets. All installations of the plugin from any earlier releases up through version 1.4.2 are vulnerable. Administrators should verify the installed version and whether updates have been applied.

The CVSS score of 7.5 indicates a high‑severity vulnerability. Although the EPSS score is below 1% and the issue is not listed in CISA’s KEV catalog, it remains a serious threat. Exploitation requires triggering the plugin’s include logic, likely via a specific URL or request parameter. This allows an attacker to read or execute files on the server if file permissions permit. No publicly known exploits exist at the time of this analysis, but the potential impact justifies immediate remediation.