The Element Pack Addons for Elementor plugin for WordPress allows an authenticated attacker with contributor-level access to read any file on the server via the SVG widget. The vulnerability stems from insufficient file validation in the 'render_svg' function, enabling read operations with arbitrary file paths. Successful exploitation could expose sensitive files such as configuration, credentials, or private data, compromising confidentiality and potentially facilitating further attacks.

The flaw affects all releases of the bdthemes Element Pack – Widgets, Templates & Addons for Elementor plugin up to and including version 8.3.17. Any WordPress installation deploying these plugin versions is at risk, regardless of the site's public exposure. The affected components are the SVG widget and its internal file handling logic.

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog, implying it has not been observed in the wild or linked to known exploit kits. Because the attack requires authenticated contributor or higher permissions, the risk is primarily internal, relying on compromised user credentials or weak role assignments. While the potential impact includes unauthorized data exposure, the overall threat landscape remains moderate without an active exploit available.