Description
Contributor Local File Inclusion in Element Pack Pro <= 9.0.6 versions.
Published: 2026-06-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Element Pack Pro versions up to 9.0.6 contain an unsanitized input that allows an attacker to include arbitrary local files. This flaw could expose sensitive configuration files or, if executable files are included, lead to remote code execution. The vulnerability directly compromises file system confidentiality and integrity, and may ultimately allow complete compromise of the affected WordPress site.

Affected Systems

The flaw affects the BdThemes Element Pack Pro plugin for WordPress when installed at version 9.0.6 or earlier. Any WordPress installation that has this plugin active and not patched is vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity rating, and the absence of an EPSS score leaves the likelihood of exploitation uncertain. The plugin is not listed in the CISA KEV catalogue, but the local file inclusion can be triggered through crafted requests that a site administrator or possibly an authenticated contributor could initiate. Due to the nature of the flaw, an attacker could read sensitive files or execute code on the server, presenting a significant risk to affected sites.

Generated by OpenCVE AI on June 18, 2026 at 12:17 UTC.

Remediation

Vendor Solution

Update the WordPress Element Pack Pro Plugin to the latest available version (at least 9.1.0).


OpenCVE Recommended Actions

  • Update the Element Pack Pro Plugin to version 9.1.0 or later.
  • If an update is not immediately possible, temporarily disable or delete the plugin from the WordPress installation.
  • After remediation, monitor server logs for repeated attempts to access local files or suspicious plugin activity.

Generated by OpenCVE AI on June 18, 2026 at 12:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Bdthemes
Bdthemes element Pack
Wordpress
Wordpress wordpress
Vendors & Products Bdthemes
Bdthemes element Pack
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Contributor Local File Inclusion in Element Pack Pro <= 9.0.6 versions.
Title WordPress Element Pack Pro plugin <= 9.0.6 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Bdthemes Element Pack
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:28:01.788Z

Reserved: 2026-04-15T09:19:20.452Z

Link: CVE-2026-40721

cve-icon Vulnrichment

Updated: 2026-06-17T15:27:53.153Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:30:05Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')