WP-Safety
CVE-2026-1793

Element Pack Addons for Elementor <= 8.3.17 - Authenticated (Contributor+) Arbitrary File Read

mediumImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
6.5
CVSS Score
6.5
CVSS Score
medium
Severity
8.3.18
Patched in
1d
Time to patch

Description

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 8.3.17 via the SVG widget and a lack of sufficient file validation in the 'render_svg' function. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=8.3.17
PublishedFebruary 14, 2026
Last updatedFebruary 15, 2026
Affected pluginbdthemes-element-pack-lite

Source Code

WordPress.org SVN
Vulnerable v8.3.17
Browse source Download .zip
Patched v8.3.18
Browse source Download .zip
Research Plan
Unverified

This research plan outlines the steps required to verify and exploit CVE-2026-1793, an Arbitrary File Read vulnerability in the Element Pack Addons for Elementor plugin. ### 1. Vulnerability Summary The "Element Pack Addons for Elementor" plugin (specifically the SVG widget) is vulnerable to arbitr…

Show full research plan

This research plan outlines the steps required to verify and exploit CVE-2026-1793, an Arbitrary File Read vulnerability in the Element Pack Addons for Elementor plugin.

1. Vulnerability Summary

The "Element Pack Addons for Elementor" plugin (specifically the SVG widget) is vulnerable to arbitrary file reading. This occurs because the render_svg function (inferred to be within the SVG widget class) accepts a file path as input without adequate sanitization or restriction to the intended directory. An attacker with Contributor+ privileges can use path traversal sequences (../../) to read sensitive files on the server, such as wp-config.php.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php
  • Action: elementor_ajax (standard Elementor widget rendering flow)
  • Vulnerable Widget: SVG Widget (slug: bdt-svg or bdthemes-svg - inferred)
  • Vulnerable Parameter: Likely a widget control parameter such as svg_path, manual_path, or source_path (inferred).
  • Authentication: Authenticated (Contributor-level or higher).
  • Preconditions: The Element Pack plugin must be active, and the attacker must have permission to edit a post using Elementor.

3. Code Flow (Inferred)

  1. A Contributor user opens the Elementor editor for a post.
  2. The user adds or modifies an SVG Widget.
  3. The user sets the SVG source to "Custom Path" or "Upload" (if the widget allows direct path input).
  4. The Elementor editor sends an AJAX request to admin-ajax.php with the action elementor_ajax and data payload to render_widget.
  5. The plugin's render_svg function is called to process the SVG.
  6. The function takes the path provided in the widget controls.
  7. Sink: The function likely calls file_get_contents(), include(), or readfile() on the user-provided path without traversal checks.
  8. The contents of the file are returned in the AJAX response (JSON) or rendered directly into the page source.

4. Nonce Acquisition Strategy

Elementor requires specific nonces for its AJAX operations.

  1. Create Post: Use WP-CLI to create a draft post.
    wp post create --post_type=post --post_status=draft --post_title="Exploit Test" --post_author=CONTRIBUTOR_ID
  2. Access Editor: Login as the Contributor and navigate to the Elementor editor for that post: /wp-admin/post.php?post=POST_ID&action=elementor.
  3. Extract Nonce: Use browser_eval to extract the necessary nonces from the Elementor configuration object.
    • Common Nonce: browser_eval("window.elementorCommon?.config?.ajax?.nonce")
    • Editor Nonce: browser_eval("window.elementorConfig?.editor_post?.nonce")
  4. Identify Widget Internal Name: While in the editor, search the DOM or window.elementor.widgets for the SVG widget's exact slug.

5. Exploitation Strategy

Step 1: Discover Vulnerable Control Name

Since the exact parameter name isn't in the CVE description, find it by adding an SVG widget in the browser and inspecting the control values.

  • Look for a control that allows "Custom SVG" or "Local Path".
  • Common control keys for this plugin: svg_source, manual_path, svg_path.

Step 2: Craft the Payload

The payload will be an AJAX request to the elementor_ajax endpoint.

HTTP Request:

  • URL: http://TARGET/wp-admin/admin-ajax.php
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Body:
    action=elementor_ajax&
_nonce=[ELEMENTOR_COMMON_NONCE]&
actions={"render_widget":{"action":"render_widget","data":{"editor_post_id":[POST_ID],"widget_id":"[WIDGET_INSTANCE_ID]","model":{"id":"[WIDGET_INSTANCE_ID]","elType":"widget","widgetType":"bdthemes-svg","settings":{"[VULNERABLE_CONTROL]":"../../../../wp-config.php"}}}}}
    (Note: bdthemes-svg is a likely widgetType name for this plugin)

Step 3: Execute via http_request

Send the request with valid Contributor cookies. The response should contain the content of wp-config.php inside the data.render_widget.data.content JSON field.

6. Test Data Setup

  1. Plugin: Install bdthemes-element-pack-lite version 8.3.17.
  2. User: Create a user with the contributor role.
  3. Post: Create a post and enable Elementor for it.
  4. Target File: Ensure a known file exists for testing (e.g., /etc/passwd or the site's wp-config.php).

7. Expected Results

  • The AJAX response status code is 200 OK.
  • The JSON response body contains a success: true flag.
  • The data.render_widget.data.content (or similar) string contains sensitive strings from the targeted file, such as DB_NAME, DB_USER, DB_PASSWORD (if wp-config.php was targeted).

8. Verification Steps

  1. Check Output: Verify the strings returned in the HTTP response match the known contents of the file on the server.
  2. Path Confirmation: Verify that using a non-existent path returns an error or empty content.
  3. Auth Check: Attempt the same request without Contributor cookies to confirm it requires authentication.

9. Alternative Approaches

  • Direct Widget Render: If the widget renders on the frontend, identify the shortcode or post meta used to store widget settings and attempt to modify the post meta directly using other vulnerabilities, then view the post.
  • Dynamic Discovery: Use grep -r "render_svg" . within the plugin directory to find the exact file and the control names used in $this->get_settings_for_display().
  • Local File Inclusion (LFI): Check if the file is being included. If so, try to achieve Remote Code Execution (RCE) by including a log file or uploaded image containing PHP code.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to arbitrary file reading through its SVG widget's 'render_svg' function. Authenticated attackers with Contributor-level access or higher can exploit this by using path traversal sequences to read sensitive files on the server, such as wp-config.php.

Vulnerable Code

// Inferred from vulnerability description within the SVG widget class
// Path: modules/svg/widgets/svg.php (approximate)

public function render_svg() {
    $settings = $this->get_settings_for_display();
    $svg_path = $settings['manual_path']; // or 'svg_path'

    if ( ! empty( $svg_path ) ) {
        // Vulnerable: Direct file reading without path validation or sanitization
        echo file_get_contents( $svg_path );
    }
}

Security Fix

--- a/modules/svg/widgets/svg.php
+++ b/modules/svg/widgets/svg.php
@@ -120,7 +120,13 @@
     public function render_svg() {
         $settings = $this->get_settings_for_display();
         $svg_path = $settings['manual_path'];
 
-        if ( ! empty( $svg_path ) ) {
-            echo file_get_contents( $svg_path );
+        if ( ! empty( $svg_path ) ) {
+            $abs_path = realpath($svg_path);
+            $wp_upload_dir = wp_upload_dir();
+            $base_dir = $wp_upload_dir['basedir'];
+
+            if ( $abs_path && strpos( $abs_path, $base_dir ) === 0 && pathinfo( $abs_path, PATHINFO_EXTENSION ) === 'svg' ) {
+                echo file_get_contents( $abs_path );
+            }
         }
     }

Exploit Outline

The exploit targets the Elementor AJAX endpoint used for rendering widgets in the editor. An attacker with Contributor privileges (or higher) must: 1. Create a draft post and enter the Elementor editor to obtain valid AJAX nonces (found in the window.elementorConfig object). 2. Identify the SVG widget's internal control name for manual file paths (e.g., 'manual_path'). 3. Send a POST request to wp-admin/admin-ajax.php with the action 'elementor_ajax'. 4. The payload should contain a 'render_widget' action within the 'actions' parameter, specifying the 'bdthemes-svg' widget type. 5. In the widget's settings model, set the vulnerable control parameter to a path traversal string (e.g., '../../../../../wp-config.php'). 6. The response will contain the contents of the target file within the JSON object's rendered HTML data.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/58f9bef5-6596-40b2-bcb6-d686e87d8d8f?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database