Vendor
The Hide My WP Lite plugin for WordPress, versions up to and including 1.3, is vulnerable to Arbitrary File Read (CVE-2026-13347) due to inadequate validation of user-supplied input in query parameters `he_wrapper_js` and `he_wrapper_css` within the `elementor_assets_filter()` function, allowing unauthenticated attackers to read arbitrary files on the server like `wp-config.php` when the Elementor plugin and 'Hide Elementor' feature are enabled.