CVE-2026-40721 BdThemes CVE debrief

Who should care

Administrators and users of Element Pack Pro plugin versions <= 9.0.6 should be aware of this vulnerability and take immediate action to update to a patched version. Additionally, security teams and vulnerability managers should prioritize this vulnerability for remediation due to its HIGH severity.

Technical summary

CVE-2026-40721 is a local file inclusion vulnerability in Element Pack Pro plugin versions <= 9.0.6. This vulnerability allows an attacker to include files on the server, potentially leading to sensitive information disclosure or code execution. The vulnerability has a CVSS Score of 7.5 and a CVSS Severity of HIGH. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

HIGH

Recommended defensive actions

• Update Element Pack Pro plugin to a patched version (> 9.0.6)
• Review server logs for suspicious file inclusion attempts
• Implement additional security measures to restrict file access
• Monitor for potential exploitation attempts
• Consider using a Web Application Firewall (WAF) to detect and prevent attacks
• Keep software and plugins up-to-date with the latest security patches

Evidence notes

The vulnerability was reported by Patchstack and is listed in the NVD database. The CVE record was published on June 17, 2026, and last modified on the same day. The vulnerability has a CWE-98 classification.

Official resources