CVE-2026-24390 - Vulnerability Details

- WordPress Kentha Elementor Widgets plugin < 3.1 - Local File Inclusion vulnerability

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in QantumThemes Kentha Elementor Widgets kentha-elementor allows PHP Local File Inclusion.This issue affects Kentha Elementor Widgets: from n/a through < 3.1.

Published: 2026-01-22

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability allows an attacker to include arbitrary local files in PHP scripts by controlling the filename passed to an include/require statement. The flaw arises from improper validation of the filename, making it possible to expose sensitive configuration files or other data. The issue is classified as CWE‑98 and can lead to confidentiality compromise if exploited.

Affected Systems

The QantumThemes Kentha Elementor Widgets plugin for WordPress is affected. All releases from the initial version up through 3.0 contain the vulnerability. Versions 3.1 and later incorporate the necessary fix.

Risk and Exploitability

The CVSS base score is 7.5, indicating a moderate‑to‑high impact. The EPSS score is below 1 %, suggesting a low probability of exploitation at present, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw by sending a crafted web request that manipulates the include/require parameter, enabling directory traversal and reading of local files. The attack does not require elevated privileges beyond the web application context.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

QantumThemes

Kentha Elementor Widgets

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.1

No data.

Vendor	Product	Confidence	Versions
Elementor	Elementor	—	—
Qantumthemes	Kentha Elementor Widgets	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Kentha Elementor Widgets plugin to version 3.1 or later to apply the vendor’s fix.
If an immediate update is not possible, implement validation of all user‑supplied file paths before inclusion, or replace the inclusion logic with a whitelist of allowed files.
Restrict the filesystem permissions of the web server user so that only directories required for normal operation are readable, reducing the impact of any potential file inclusion.

Generated by OpenCVE AI on April 16, 2026 at 01:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0017.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/kentha-elementor/vulnerability/wordpress-kentha-elementor-widgets-plugin-3-1-local-file-inclusion-vulnerability?_s_id=cve

History

Tue, 28 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Mon, 26 Jan 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 23 Jan 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Elementor Elementor elementor Qantumthemes Qantumthemes kentha Elementor Widgets Wordpress Wordpress wordpress
Vendors & Products		Elementor Elementor elementor Qantumthemes Qantumthemes kentha Elementor Widgets Wordpress Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type	Values Removed	Values Added
Description		Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in QantumThemes Kentha Elementor Widgets kentha-elementor allows PHP Local File Inclusion.This issue affects Kentha Elementor Widgets: from n/a through < 3.1.
Title		WordPress Kentha Elementor Widgets plugin < 3.1 - Local File Inclusion vulnerability
Weaknesses		CWE-98
References		https://patchstack.com/database/Wordpress/Plugin/kentha-elementor/vulnerability/wordpress-kentha-elementor-widgets-plugin-3-1-local-file-inclusion-vulnerability?_s_id=cve

Subscriptions

Elementor Elementor

Qantumthemes Kentha Elementor Widgets

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-01-22T16:52:48.114Z

Updated: 2026-04-28T16:14:48.603Z

Reserved: 2026-01-22T14:42:48.126Z

Link: CVE-2026-24390

Vulnrichment

Updated: 2026-01-26T20:50:03.075Z

NVD

Status : Deferred

Published: 2026-01-22T17:16:42.110

Modified: 2026-04-28T15:16:09.503

Link: CVE-2026-24390

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T02:00:12Z

Weaknesses

CWE-98

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object