<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Elementor - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/elementor/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 10 Jul 2026 08:18:09 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/elementor/feed.xml" rel="self" type="application/rss+xml"/><item><title>WordPress Hide My WP Lite Plugin Vulnerable to Arbitrary File Read (CVE-2026-13347)</title><link>https://feed.craftedsignal.io/briefs/2026-07-hide-my-wp-lite-file-read/</link><pubDate>Fri, 10 Jul 2026 08:18:09 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-hide-my-wp-lite-file-read/</guid><description>The Hide My WP Lite plugin for WordPress, versions up to and including 1.3, is vulnerable to Arbitrary File Read (CVE-2026-13347) due to inadequate validation of user-supplied input in query parameters `he_wrapper_js` and `he_wrapper_css` within the `elementor_assets_filter()` function, allowing unauthenticated attackers to read arbitrary files on the server like `wp-config.php` when the Elementor plugin and 'Hide Elementor' feature are enabled.</description><content:encoded><![CDATA[<p>The Hide My WP Lite plugin for WordPress, specifically versions up to and including 1.3, contains a critical arbitrary file read vulnerability tracked as CVE-2026-13347. This flaw stems from a path traversal vulnerability in the <code>elementor_assets_filter()</code> function, which fails to properly sanitize user-supplied input via the <code>he_wrapper_js</code> and <code>he_wrapper_css</code> query parameters. Attackers can leverage this by directly concatenating their input, containing path traversal sequences, with the <code>ABSPATH</code> variable, leading to <code>file_get_contents()</code> reading arbitrary files outside the intended directory. The content of these files is then echoed in the HTTP response, even though <code>wp_kses_post()</code> processes the output (this function only filters HTML tags and does not prevent file content disclosure). Successful exploitation, which does not require authentication, depends on the presence of the Elementor plugin and the activation of its 'Hide Elementor' feature. This vulnerability poses a significant risk as it allows unauthorized access to sensitive server files, such as <code>wp-config.php</code>, potentially leading to full compromise of the affected WordPress site.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker crafts a malicious HTTP GET request targeting a WordPress site running the vulnerable Hide My WP Lite plugin (version 1.3 or earlier).</li>
<li>The request includes path traversal sequences (e.g., <code>../</code>) within the <code>he_wrapper_js</code> or <code>he_wrapper_css</code> query parameters.</li>
<li>The request targets a WordPress endpoint handled by the Hide My WP Lite plugin, specifically leveraging the <code>elementor_assets_filter()</code> function.</li>
<li>The <code>elementor_assets_filter()</code> function concatenates the attacker-supplied input, including the path traversal, with the absolute path to the WordPress installation (<code>ABSPATH</code>).</li>
<li>The resulting malicious path is then passed to the <code>file_get_contents()</code> PHP function.</li>
<li><code>file_get_contents()</code> reads the content of an arbitrary file on the server, such as <code>/var/www/html/wp-config.php</code>.</li>
<li>The read file content is then echoed back in the HTTP response to the attacker.</li>
<li>The attacker successfully retrieves sensitive information from the server, like database credentials stored in <code>wp-config.php</code>.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-13347 allows unauthenticated attackers to read any file accessible by the web server process. This includes highly sensitive files such as <code>wp-config.php</code>, which typically contains database connection credentials, authentication unique keys, and salts. Disclosure of <code>wp-config.php</code> content can lead to database compromise, complete administrative access to the WordPress site, and potentially further lateral movement within the server environment. This vulnerability affects WordPress sites utilizing the Hide My WP Lite plugin version 1.3 or earlier, provided the Elementor plugin is also installed and its 'Hide Elementor' feature is active. The CVSS v3.1 base score is 7.5 (High), reflecting the critical nature of information disclosure without authentication.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule provided in this brief to your web application firewall (WAF) or SIEM to detect attempts to exploit CVE-2026-13347.</li>
<li>Ensure web server logs, specifically access logs, are configured to capture full HTTP request details, including method, URI, and query parameters, to enable detection of the specified indicators.</li>
<li>Apply the latest patch or update to the Hide My WP Lite plugin to remediate CVE-2026-13347 as soon as possible.</li>
<li>Implement strong file system permissions on your WordPress installation to minimize the impact if an arbitrary file read occurs, restricting read access to critical files to the absolute minimum necessary.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>arbitrary-file-read</category><category>path-traversal</category><category>web-application</category><category>cve</category></item></channel></rss>