CVE-2025-0898
Description
The Xpro Elementor Addons - Pro plugin for WordPress is vulnerable to Arbitrary File Reading in all versions up to, and including, 1.4.7 via the Draw SVG widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated file read vulnerability in Xpro Elementor Addons Pro Draw SVG widget allows contributors to read arbitrary server files.
Vulnerability
The Xpro Elementor Addons - Pro plugin for WordPress, in all versions up to and including 1.4.7, contains an arbitrary file reading vulnerability in the Draw SVG widget. The vulnerability allows authenticated attackers with Contributor-level access or higher to read the contents of any file on the server, including sensitive information. [1]
Exploitation
An attacker must be authenticated to the WordPress site with at least Contributor-level permissions. The vulnerability resides in the Draw SVG widget, which can be abused to request arbitrary file paths. The exact sequence of steps involves using a crafted request to the widget to read files outside the intended scope, with no additional user interaction required beyond the authenticated session. [1]
Impact
Successful exploitation allows the attacker to read arbitrary files on the server, potentially exposing sensitive data such as configuration files, database credentials, or private content. The compromise is limited to file disclosure (confidentiality impact) and does not grant write or execution capabilities. The attacker gains access to server file contents but does not elevate their privilege level beyond the authenticated session. [1]
Mitigation
As of the publication date (2026-05-27), no patched version has been released. The vendor's official page does not mention a fix. Affected users should monitor the vendor's site for updates and consider restricting Contributor-level access until a patch is available. No known workaround is documented. [1]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=1.4.7+ 1 more
- (no CPE)range: <=1.4.7
- (no CPE)range: <=1.4.7
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2News mentions
0No linked articles in our index yet.