CVE-2026-15338
choijun · LA-Studio Element Kit for Elementor
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion (LFI) in all versions up to 1.6.1.
Executive summary
A Local File Inclusion vulnerability in the LA-Studio Element Kit plugin enables attackers to access sensitive files on the server.
Vulnerability
The plugin suffers from improper control of filenames used in include statements (CWE-98). An authenticated user can leverage this flaw to perform Local File Inclusion, potentially leading to unauthorized file reading or remote code execution.
Business impact
With a CVSS score of 7.5, this vulnerability represents a significant risk to server security. An attacker could exploit this to read sensitive configuration files, including database credentials, or execute arbitrary code on the web server, leading to full system compromise.
Remediation
Immediate Action: Update the LA-Studio Element Kit for Elementor plugin to the latest patched version to address the LFI vulnerability.
Proactive Monitoring: Monitor server logs for directory traversal patterns or unusual file inclusion attempts directed at the plugin’s directory.
Compensating Controls: Ensure the web server process is running with the principle of least privilege to restrict the impact of potential file inclusion attacks.
Exploitation status
Public Exploit Available: false
Analyst recommendation
LFI vulnerabilities provide a direct path to system-level compromise. Administrators are urged to update the affected plugin immediately and verify that no unauthorized file modifications have occurred on the underlying server.