CVE-2026-15338 HIGH

CVE-2026-15338: LA-Studio Element Kit for Elementor <= 1.6.1 - Authenticated (Contributor+) Local File Inclusion via 'progress_type' Widget Setting

Vendor Choijun
Product LA-Studio Element Kit for Elementor
Weakness CWE-98 · PHP file inclusion
Published July 11, 2026
Last update July 11, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.1 via the get_type_template function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. The wp_normalize_path function used in get_template only normalizes directory separators and does not resolve or reject path traversal sequences, while the extension check is trivially bypassed because the caller already appends the required extension to the traversal payload.

Explanation of Vulnerability in Simple Terms

02Summary

LA-Studio Element Kit for Elementor versions up to 1.6.1 contain a code injection vulnerability. An authenticated attacker with low privileges can inject and execute arbitrary code on the site without user interaction. The vulnerability affects confidentiality, integrity, and availability of the WordPress installation.

What an attacker can do

03Attacker Capabilities

Run arbitrary code on the site with the privileges of the WordPress user account.

Potential impact on your site

04Site Impact

Attackers with basic WordPress access can compromise your entire site, steal data, modify content, or take it offline.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege WordPress account (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

July 11, 2026 CVE published

Related vulnerabilities

08Related CVE