PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15338 choijun CVE debrief

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.1 via the get_type_template function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. The vulnerability exists due to insufficient validation of user input, allowing attackers to bypass access controls and achieve code execution.

Vendor
choijun
Product
LA-Studio Element Kit for Elementor
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-11
Original CVE updated
2026-07-11
Advisory published
2026-07-11
Advisory updated
2026-07-11

Who should care

Administrators of WordPress installations using the LA-Studio Element Kit for Elementor plugin, especially those allowing contributor-level access or above, should assess and mitigate this vulnerability. Additionally, security teams and vulnerability management teams should review the affected scope and severity to prioritize remediation efforts.

Technical summary

The vulnerability exists in the get_type_template function of the LA-Studio Element Kit for Elementor plugin. The wp_normalize_path function used in get_template only normalizes directory separators and does not resolve or reject path traversal sequences. The extension check is trivially bypassed because the caller already appends the required extension to the traversal payload. This allows authenticated attackers with contributor-level access to include and execute arbitrary PHP files.

Defensive priority

High priority due to the potential for code execution and high CVSS score of 7.5.

Recommended defensive actions

  • Immediately update the LA-Studio Element Kit for Elementor plugin to a version that fixes the Local File Inclusion vulnerability, if available.
  • Restrict access to the plugin's functionality to only trusted users.
  • Monitor server logs for suspicious file inclusion attempts.
  • Consider implementing additional security measures such as Web Application Firewalls (WAFs) to detect and prevent exploitation attempts.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability. Security researchers at Wordfence have reported this issue. The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.1 via the get_type_template function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. The wp_normalize_path function used in get_template only normalizes directory separators and does not resolve or reject path traversal sequences, while the extension check is trivially bypassed because the caller already appends the required extension to the traversal payload.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T04:17:22.537Z and has not been modified since then.