CVE-2025-68841 HIGH

CVE-2025-68841: WordPress TopperPack – Complete Elementor Addons, theme & CPT Builder plugin <= 1.2.1 - Local File Inclusion vulnerability

Vendor Themepul
Product TopperPack – Complete Elementor Addons, Theme & CPT Builder
Weakness CWE-98 · PHP file inclusion
Published February 20, 2026
Last update April 28, 2026
View on NVD All CVEs

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themepul TopperPack – Complete Elementor Addons, Theme & CPT Builder topper-pack allows PHP Local File Inclusion.This issue affects TopperPack – Complete Elementor Addons, Theme & CPT Builder: from n/a through <= 1.2.1.

Explanation of Vulnerability in Simple Terms

02Summary

TopperPack contains a code injection vulnerability affecting versions up to 1.2.1. An attacker can inject and execute arbitrary code by crafting a malicious request, but requires user interaction to trigger the exploit. The vulnerability allows full compromise of site data and functionality. Update to a version newer than 1.2.1 immediately.

What an attacker can do

03Attacker Capabilities

Inject and execute arbitrary code on the site, compromising data and functionality.

Potential impact on your site

04Site Impact

Complete site compromise possible, including data theft, malware injection, and loss of availability.

Conditions required to exploit

05Prerequisites

Network access; victim must click a malicious link or visit an attacker-controlled page.

Key dates

06Disclosure timeline

February 20, 2026 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE

CVE-2025-60189 WordPress PoloPag – Pix Automático para Woocommerce plugin <= 2.0.9 - Local File Inclusion vulnerability CVE-2025-58885 WordPress Pathfinder theme <= 1.16 - Local File Inclusion vulnerability CVE-2024-5574 WP Magazine Modules Lite <= 1.1.2 - Authenticated (Contributor+) Local File Inclusion CVE-2025-49367 WordPress Monyxi theme <= 1.1.8 - Local File Inclusion vulnerability CVE-2024-5348 Elements For Elementor <= 2.1 - Authenticated (Contributor+) Local File Inclusion via Multiple Widget Attributes