Impact
Element Pack Pro versions up to 9.0.6 contain an unsanitized input that allows an attacker to include arbitrary local files. This flaw could expose sensitive configuration files or, if executable files are included, lead to remote code execution. The vulnerability directly compromises file system confidentiality and integrity, and may ultimately allow complete compromise of the affected WordPress site.
Affected Systems
The flaw affects the BdThemes Element Pack Pro plugin for WordPress when installed at version 9.0.6 or earlier. Any WordPress installation that has this plugin active and not patched is vulnerable.
Risk and Exploitability
The CVSS score of 7.5 indicates a high severity rating, and the absence of an EPSS score leaves the likelihood of exploitation uncertain. The plugin is not listed in the CISA KEV catalogue, but the local file inclusion can be triggered through crafted requests that a site administrator or possibly an authenticated contributor could initiate. Due to the nature of the flaw, an attacker could read sensitive files or execute code on the server, presenting a significant risk to affected sites.
OpenCVE Enrichment