CVE-2026-15338 in LA-Studio Element Kit for Elementor Plugininfo

Summary

by MITRE • 07/11/2026

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.1 via the get_type_template function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. The wp_normalize_path function used in get_template only normalizes directory separators and does not resolve or reject path traversal sequences, while the extension check is trivially bypassed because the caller already appends the required extension to the traversal payload.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/11/2026

The LA-Studio Element Kit for Elementor plugin presents a critical local file inclusion vulnerability that affects all versions through 1.6.1, creating a significant security risk for WordPress installations. This vulnerability stems from improper input validation within the get_type_template function, which allows authenticated attackers with contributor-level privileges or higher to manipulate file inclusion paths. The flaw operates by exploiting the wp_normalize_path function's limited path normalization capabilities, which only addresses directory separator normalization without properly handling or rejecting path traversal sequences such as ../ or ..\. This technical oversight creates an opening for malicious actors to access arbitrary files on the server filesystem, potentially leading to complete system compromise.

The operational impact of this vulnerability extends beyond simple file reading capabilities, as it enables attackers to execute arbitrary PHP code through inclusion of maliciously crafted files. Authentication requirements are relatively low, needing only contributor-level access which is often granted to content editors or authors within WordPress environments, making the attack surface particularly broad. The vulnerability's exploitation becomes even more dangerous when considering that extension checks can be trivially bypassed since the calling function automatically appends required file extensions to traversal payloads, effectively neutralizing any attempt to prevent php file inclusion through simple extension filtering mechanisms. This weakness aligns with CWE-22 Path Traversal vulnerabilities and represents a classic example of insufficient input validation in web applications.

Security practitioners should recognize this vulnerability as a prime candidate for exploitation within the ATT&CK framework under the T1059.007 Execution via Web Shells category, where attackers can establish persistent access through file inclusion techniques. The risk assessment indicates that this vulnerability could be leveraged to bypass access controls and obtain sensitive data from the server, potentially leading to complete system compromise. Mitigation strategies should include immediate patching to versions beyond 1.6.1, implementing proper input validation at multiple layers including path normalization functions, and restricting file upload capabilities where possible. Organizations should also consider monitoring for unusual file inclusion patterns in their web server logs and implement network-based intrusion detection systems to identify potential exploitation attempts. The vulnerability demonstrates the critical importance of robust input validation and the dangers of relying solely on basic extension filtering mechanisms without proper path traversal sequence rejection.

This vulnerability exemplifies common security weaknesses found in content management systems where plugin developers fail to adequately validate user inputs or properly sanitize file paths before processing them. The combination of low privilege requirements with high impact potential makes this particularly concerning for organizations that grant contributor-level access to untrusted users. The technical flaw demonstrates how seemingly innocuous functions like wp_normalize_path can create security vulnerabilities when they don't fully address all possible attack vectors, specifically path traversal sequences that could be exploited by attackers to gain unauthorized system access and execute malicious code within the context of the web server process.

Responsible

Wordfence

Reservation

07/09/2026

Disclosure

07/11/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!