{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/elementor/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-13347"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Hide My WP Lite \u003c= 1.3","Elementor"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","arbitrary-file-read","path-traversal","web-application","cve"],"_cs_type":"advisory","_cs_vendors":["WordPress","Elementor"],"content_html":"\u003cp\u003eThe Hide My WP Lite plugin for WordPress, specifically versions up to and including 1.3, contains a critical arbitrary file read vulnerability tracked as CVE-2026-13347. This flaw stems from a path traversal vulnerability in the \u003ccode\u003eelementor_assets_filter()\u003c/code\u003e function, which fails to properly sanitize user-supplied input via the \u003ccode\u003ehe_wrapper_js\u003c/code\u003e and \u003ccode\u003ehe_wrapper_css\u003c/code\u003e query parameters. Attackers can leverage this by directly concatenating their input, containing path traversal sequences, with the \u003ccode\u003eABSPATH\u003c/code\u003e variable, leading to \u003ccode\u003efile_get_contents()\u003c/code\u003e reading arbitrary files outside the intended directory. The content of these files is then echoed in the HTTP response, even though \u003ccode\u003ewp_kses_post()\u003c/code\u003e processes the output (this function only filters HTML tags and does not prevent file content disclosure). Successful exploitation, which does not require authentication, depends on the presence of the Elementor plugin and the activation of its 'Hide Elementor' feature. This vulnerability poses a significant risk as it allows unauthorized access to sensitive server files, such as \u003ccode\u003ewp-config.php\u003c/code\u003e, potentially leading to full compromise of the affected WordPress site.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious HTTP GET request targeting a WordPress site running the vulnerable Hide My WP Lite plugin (version 1.3 or earlier).\u003c/li\u003e\n\u003cli\u003eThe request includes path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) within the \u003ccode\u003ehe_wrapper_js\u003c/code\u003e or \u003ccode\u003ehe_wrapper_css\u003c/code\u003e query parameters.\u003c/li\u003e\n\u003cli\u003eThe request targets a WordPress endpoint handled by the Hide My WP Lite plugin, specifically leveraging the \u003ccode\u003eelementor_assets_filter()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eelementor_assets_filter()\u003c/code\u003e function concatenates the attacker-supplied input, including the path traversal, with the absolute path to the WordPress installation (\u003ccode\u003eABSPATH\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe resulting malicious path is then passed to the \u003ccode\u003efile_get_contents()\u003c/code\u003e PHP function.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003efile_get_contents()\u003c/code\u003e reads the content of an arbitrary file on the server, such as \u003ccode\u003e/var/www/html/wp-config.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe read file content is then echoed back in the HTTP response to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully retrieves sensitive information from the server, like database credentials stored in \u003ccode\u003ewp-config.php\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-13347 allows unauthenticated attackers to read any file accessible by the web server process. This includes highly sensitive files such as \u003ccode\u003ewp-config.php\u003c/code\u003e, which typically contains database connection credentials, authentication unique keys, and salts. Disclosure of \u003ccode\u003ewp-config.php\u003c/code\u003e content can lead to database compromise, complete administrative access to the WordPress site, and potentially further lateral movement within the server environment. This vulnerability affects WordPress sites utilizing the Hide My WP Lite plugin version 1.3 or earlier, provided the Elementor plugin is also installed and its 'Hide Elementor' feature is active. The CVSS v3.1 base score is 7.5 (High), reflecting the critical nature of information disclosure without authentication.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your web application firewall (WAF) or SIEM to detect attempts to exploit CVE-2026-13347.\u003c/li\u003e\n\u003cli\u003eEnsure web server logs, specifically access logs, are configured to capture full HTTP request details, including method, URI, and query parameters, to enable detection of the specified indicators.\u003c/li\u003e\n\u003cli\u003eApply the latest patch or update to the Hide My WP Lite plugin to remediate CVE-2026-13347 as soon as possible.\u003c/li\u003e\n\u003cli\u003eImplement strong file system permissions on your WordPress installation to minimize the impact if an arbitrary file read occurs, restricting read access to critical files to the absolute minimum necessary.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T08:18:09Z","date_published":"2026-07-10T08:18:09Z","id":"https://feed.craftedsignal.io/briefs/2026-07-hide-my-wp-lite-file-read/","summary":"The Hide My WP Lite plugin for WordPress, versions up to and including 1.3, is vulnerable to Arbitrary File Read (CVE-2026-13347) due to inadequate validation of user-supplied input in query parameters `he_wrapper_js` and `he_wrapper_css` within the `elementor_assets_filter()` function, allowing unauthenticated attackers to read arbitrary files on the server like `wp-config.php` when the Elementor plugin and 'Hide Elementor' feature are enabled.","title":"WordPress Hide My WP Lite Plugin Vulnerable to Arbitrary File Read (CVE-2026-13347)","url":"https://feed.craftedsignal.io/briefs/2026-07-hide-my-wp-lite-file-read/"}],"language":"en","title":"CraftedSignal Threat Feed - Elementor","version":"https://jsonfeed.org/version/1.1"}