CVE-2026-13347
Last modified
CVE-2026-13347 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. The Hide My WP Lite plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 1.3 via the he_wrapper_js and he_wrapper_css query parameters processed by the elementor_assets_filter() function. This is due to the function concatenating user-supplied input directly onto ABSPATH and passing the result to file_get_contents() without any path traversal validation, allow-list, realpath containment, or extension check; the result is then echoed in the HTTP response. EPSS estimates a 0.51% chance of exploitation in the next 30 days.
Description
The Hide My WP Lite plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 1.3 via the he_wrapper_js and he_wrapper_css query parameters processed by the elementor_assets_filter() function. This is due to the function concatenating user-supplied input directly onto ABSPATH and passing the result to file_get_contents() without any path traversal validation, allow-list, realpath containment, or extension check; the result is then echoed in the HTTP response. Although the output is passed through wp_kses_post(), that function only filters HTML tags and does not prevent disclosure of arbitrary file contents. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the affected site's server (such as wp-config). Note: The exploit requires the Elementor plugin and the 'Hide Elementor' feature to be enabled.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
Source: CNA advisory (CVE.org). NVD analysis pending.
| Vendor | Product | Versions |
|---|---|---|
| templatic1 | Hide My WP Lite | <= 1.3 |
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2026-13347?
How severe is CVE-2026-13347?
How do I fix CVE-2026-13347?
Related CVEs from 2026
- CVE-2026-13331The Groundhogg — CRM, Newsletters, and Marketing Automation …6.5
- CVE-2026-13333The Groundhogg — CRM, Newsletters, and Marketing Automation …6.5
- CVE-2026-13334The Mang Board WP plugin for WordPress is vulnerable to Refl…6.1
- CVE-2026-13335The CodePeople Post Map for Google Maps plugin for WordPress…6.4
- CVE-2026-1334An Out-Of-Bounds Read vulnerability affecting the EPRT file …7.8
- CVE-2026-13341A vulnerability exists in the Kong Konnect Model Context Pro…7.4
- CVE-2026-1335An Out-Of-Bounds Write vulnerability affecting the EPRT file…7.8
- CVE-2026-13350Permissions where checked incorrectly during room creation, …2.3
- CVE-2026-13351Zephyr's IPv6 network stack can be prevented from receiving …7.5
- CVE-2026-13353The WP Ultimate CSV Importer – WordPress Import & Export for…8.8
- CVE-2026-13356A malicious webpage could interrupt a pending navigation by …6.3
- CVE-2026-13357The Houzez Property Feed plugin for WordPress is vulnerable …4.9
Are you affected by CVE-2026-13347?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
