{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/la-studio/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-15338"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["LA-Studio Element Kit for Elementor plugin for WordPress (\u003c= 1.6.1)"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","vulnerability","lfi","web"],"_cs_type":"advisory","_cs_vendors":["LA-Studio","WordPress"],"content_html":"\u003cp\u003eA significant Local File Inclusion (LFI) vulnerability, identified as CVE-2026-15338, has been discovered in the LA-Studio Element Kit for Elementor plugin for WordPress, impacting all versions up to and including 1.6.1. This flaw resides within the plugin's \u003ccode\u003eget_type_template\u003c/code\u003e function, which, when triggered by an authenticated attacker with contributor-level privileges or higher, permits the inclusion and execution of arbitrary \u003ccode\u003e.php\u003c/code\u003e files present on the server. The vulnerability is primarily due to the \u003ccode\u003ewp_normalize_path\u003c/code\u003e function failing to adequately resolve or reject path traversal sequences. Additionally, an existing extension check is rendered ineffective as the plugin itself appends the required \u003ccode\u003e.php\u003c/code\u003e extension to the attacker-supplied payload, simplifying the bypass. Successful exploitation enables PHP code execution, potentially leading to unauthorized access, sensitive data exposure, and further compromise of the WordPress environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access via Authentication\u003c/strong\u003e: An attacker obtains valid credentials with contributor-level access or higher to a WordPress site running the vulnerable LA-Studio Element Kit plugin.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRequest Crafting\u003c/strong\u003e: The attacker crafts a malicious HTTP request designed to interact with the plugin's \u003ccode\u003eget_type_template\u003c/code\u003e function, typically through a WordPress AJAX endpoint (e.g., \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePath Traversal Insertion\u003c/strong\u003e: The malicious request includes a path traversal sequence (e.g., \u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e..\\\\\u003c/code\u003e) within a parameter that the \u003ccode\u003eget_type_template\u003c/code\u003e function processes, targeting a specific \u003ccode\u003e.php\u003c/code\u003e file on the server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExtension Bypass\u003c/strong\u003e: The attacker's payload leverages the plugin's behavior where it automatically appends the \u003ccode\u003e.php\u003c/code\u003e extension to the user-supplied path, effectively bypassing any basic extension validation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Trigger\u003c/strong\u003e: The \u003ccode\u003eget_type_template\u003c/code\u003e function calls \u003ccode\u003ewp_normalize_path\u003c/code\u003e which processes the supplied path but fails to neutralize the path traversal sequences, leading to the construction of an unintended file path.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Execution\u003c/strong\u003e: The vulnerable function then includes and executes the arbitrary \u003ccode\u003e.php\u003c/code\u003e file specified by the attacker, allowing them to run PHP code with the privileges of the web server process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact Realization\u003c/strong\u003e: This unauthorized code execution enables the attacker to bypass access controls, exfiltrate sensitive data, or deploy further malicious payloads such as web shells, leading to complete system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-15338 allows authenticated attackers to execute arbitrary PHP code on the compromised WordPress server. This capability can lead to a complete bypass of access controls, enabling unauthorized manipulation or destruction of website content, exfiltration of sensitive data including user credentials or database information, and potentially full compromise of the underlying server. The vulnerability carries a CVSS v3.1 Base Score of 7.5, reflecting its high severity and potential for significant impact, ranging from defacement to complete takeover of the affected WordPress installation and host system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-15338 by immediately updating the LA-Studio Element Kit for Elementor plugin to version 1.6.2 or later to mitigate the Local File Inclusion vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for WordPress installations for suspicious HTTP requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e or other plugin endpoints that contain path traversal sequences (\u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e..\\\\\u003c/code\u003e) in query parameters, particularly when attempting to include \u003ccode\u003e.php\u003c/code\u003e files, as this could indicate exploitation of CVE-2026-15338.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-11T04:21:18Z","date_published":"2026-07-11T04:21:18Z","id":"https://feed.craftedsignal.io/briefs/2026-07-la-studio-element-kit-lfi/","summary":"A Local File Inclusion vulnerability exists in the LA-Studio Element Kit for Elementor plugin for WordPress, affecting all versions up to and including 1.6.1, which allows authenticated attackers with contributor-level access or higher to include and execute arbitrary .php files on the server due to improper path traversal handling and an easily bypassed extension check, leading to PHP code execution, access control bypass, and sensitive data exposure.","title":"Local File Inclusion Vulnerability in LA-Studio Element Kit for Elementor Plugin for WordPress","url":"https://feed.craftedsignal.io/briefs/2026-07-la-studio-element-kit-lfi/"}],"language":"en","title":"CraftedSignal Threat Feed - LA-Studio","version":"https://jsonfeed.org/version/1.1"}