๐Ÿ” CVE Alert

CVE-2026-13347

HIGH 7.5

Hide My WP Lite <= 1.3 - Unauthenticated Path Traversal to Arbitrary File Read via 'he_wrapper_js' Parameter

CVSS Score
7.5
EPSS Score
0.5%
EPSS Percentile
40th

The Hide My WP Lite plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 1.3 via the he_wrapper_js and he_wrapper_css query parameters processed by the elementor_assets_filter() function. This is due to the function concatenating user-supplied input directly onto ABSPATH and passing the result to file_get_contents() without any path traversal validation, allow-list, realpath containment, or extension check; the result is then echoed in the HTTP response. Although the output is passed through wp_kses_post(), that function only filters HTML tags and does not prevent disclosure of arbitrary file contents. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the affected site's server (such as wp-config). Note: The exploit requires the Elementor plugin and the 'Hide Elementor' feature to be enabled.

CWE CWE-22
Vendor templatic1
Product hide my wp lite
Published Jul 10, 2026
Last Updated Jul 10, 2026
Stay Ahead of the Next One

Get instant alerts for templatic1 hide my wp lite

Be the first to know when new high vulnerabilities affecting templatic1 hide my wp lite are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

templatic1 / Hide My WP Lite
0 โ‰ค 1.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/e044c51c-40e0-4d33-8921-616d59e0e0d8?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/hide-wp-login/tags/1.3/includes/functions.php#L139 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/hide-wp-login/tags/1.3/includes/functions.php#L117

Credits

Nabil Irawan