CVE-2026-40721
Deferred Deferred - Pending Action
Contributor Local File Inclusion in Element Pack Pro

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Contributor Local File Inclusion in Element Pack Pro <= 9.0.6 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-40721
EUVD
EUVD-2026-37591
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wpbeaverbuilder element_pack_pro to 9.0.6 (inc)
bdthemes element_pack_pro to 9.0.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability is a Local File Inclusion (LFI) issue found in the WordPress Element Pack Pro Plugin versions 9.0.6 and below.

This flaw allows an attacker to include and display local files from the target website.

In some cases, this could expose sensitive files such as those containing database credentials.

Impact Analysis

An attacker exploiting this vulnerability could gain access to sensitive files on your website.

This could potentially lead to a complete database takeover if critical files like database credentials are exposed.

Although the vulnerability is considered low severity, it has a CVSS score of 7.5 and can be exploited in mass campaigns targeting many websites.

To mitigate the risk, users should update the plugin to version 9.1.0 or later.

Detection Guidance

This vulnerability affects WordPress sites using the Element Pack Pro plugin version 9.0.6 or below. Detection involves identifying if the vulnerable plugin version is installed.

You can check the plugin version by accessing the WordPress admin dashboard under Plugins or by inspecting the plugin files directly.

From the command line, you might use commands to check the plugin version in the WordPress installation directory, for example:

  • grep -i 'Version' wp-content/plugins/element-pack-pro/element-pack-pro.php
  • wp plugin list --status=active | grep element-pack-pro

Additionally, monitoring web server logs for suspicious requests attempting to include local files via the plugin's endpoints could help detect exploitation attempts.

Mitigation Strategies

The immediate and recommended mitigation step is to update the Element Pack Pro plugin to version 9.1.0 or later, where this Local File Inclusion vulnerability has been patched.

If updating immediately is not possible, consider temporarily disabling the plugin to prevent exploitation.

Also, review your web server and application logs for any signs of exploitation attempts and strengthen access controls to limit exposure.

Compliance Impact

The Local File Inclusion vulnerability in Element Pack Pro versions 9.0.6 and below could lead to the exposure of sensitive files, such as those containing database credentials. This exposure potentially results in a complete database takeover.

Such unauthorized access and exposure of sensitive data can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information.

Therefore, failure to patch this vulnerability may lead to violations of data protection requirements under these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40721. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart