WordPress LA-Studio Element Kit for Elementor plugin <= 1.3.8.1 - Contributor+ Local File Inclusion vulnerability

Vulnerability

A Local File Inclusion (LFI) vulnerability exists in the LA-Studio Element Kit for Elementor plugin for WordPress, affecting versions from n/a through 1.3.8.1. The flaw resides in the "LaStudioKit Progress Bar" widget, specifically within the progress_type attribute when creating a New Post via the Elementor page builder. An attacker can supply a malicious file path to this attribute, leading to inclusion of arbitrary files from the server. [1]

Exploitation

To exploit this vulnerability, an attacker must have access to the WordPress admin interface with sufficient privileges to create or edit posts using the Elementor builder (typically Editor or Administrator roles). The attacker inserts a LaStudioKit Progress Bar widget and sets the progress_type attribute to a path pointing to a local file (e.g., /etc/passwd). Upon saving or previewing the post, the plugin processes the crafted attribute, resulting in the inclusion of the specified file. [1]

Impact

Successful exploitation allows an attacker to read sensitive files from the server, such as configuration files containing database credentials (e.g., wp-config.php) or other system files. This information disclosure can lead to further compromise of the WordPress site and underlying server. The attacker does not gain code execution or write access from this vulnerability alone. [1]

Mitigation

The vulnerability is fixed in version 1.3.9, as indicated by the changelog entry "Fixed security issue" and subsequent releases. The latest fixed version available is 1.6.0 (last updated 2026-01-14). Users are strongly advised to update the LA-Studio Element Kit for Elementor plugin to at least version 1.3.9, and preferably the latest version. No known workarounds exist. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of publication. [1]