CVE-2026-1793 is a path traversal vulnerability classified under CWE-22, found in the Element Pack Addons for Elementor plugin for WordPress, specifically in the 'render_svg' function used by the SVG widget. The vulnerability arises from improper validation of file paths, allowing an authenticated attacker with contributor-level or higher privileges to manipulate the file path input to access arbitrary files on the server. Since the plugin does not sufficiently restrict or sanitize the pathname, attackers can traverse directories outside the intended restricted directory, reading sensitive files such as configuration files, password stores, or other critical data. The vulnerability affects all versions up to and including 8.3.17. Exploitation requires authentication but no additional user interaction, and it does not impact system integrity or availability directly. The CVSS v3.1 base score is 6.5, with the vector indicating network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, and high confidentiality impact. No patches or exploits are currently publicly available, but the risk remains significant due to the potential exposure of sensitive information on WordPress sites using this plugin.

The primary impact of this vulnerability is unauthorized disclosure of sensitive information stored on the web server hosting the vulnerable WordPress plugin. Attackers with contributor-level access can exploit the flaw to read arbitrary files, potentially gaining access to database credentials, API keys, or other confidential data that could facilitate further attacks or data breaches. Although the vulnerability does not allow privilege escalation or code execution directly, the information disclosure can be leveraged to compromise the system further. Organizations running WordPress sites with this plugin are at risk of data leakage, reputational damage, and compliance violations if sensitive data is exposed. The medium severity rating reflects the significant confidentiality impact but limited effect on integrity and availability. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially in environments with multiple contributors or less stringent access controls.

To mitigate this vulnerability, organizations should first check for and apply any available updates or patches from the plugin vendor bdthemes once released. In the absence of an official patch, administrators should restrict contributor-level access to trusted users only and review user permissions to minimize the number of accounts with such privileges. Implementing web application firewall (WAF) rules to detect and block suspicious path traversal patterns targeting the SVG widget may provide temporary protection. Additionally, hardening the server by restricting file system permissions to limit access to sensitive files can reduce the impact of arbitrary file reads. Monitoring logs for unusual file access patterns related to the plugin can help detect exploitation attempts. Finally, consider disabling or removing the SVG widget functionality if it is not essential to reduce the attack surface.