How is CVE-2026-40721 exploited?

Network reachability (required): The attacker must reach the WordPress installation over the network; the vulnerable plugin endpoint is exposed via standard HTTP/HTTPS requests. Authentication (required): A low-privilege account at Contributor level or above is sufficient; no administrative or editorial access is needed. Victim interaction (not-required): No action from another user or an administrator is needed to trigger the vulnerability. Attack complexity (info): Exploitation involves high complexity, meaning specific conditions such as particular server configurations or race conditions must be met for the attack to succeed reliably.

What is the impact of CVE-2026-40721?

Reads arbitrary local files on the server, including WordPress configuration files that contain database credentials and secret keys. Modifies content or configuration on the host by chaining file inclusion with writable locations or uploaded payloads. Crashes or destabilizes the WordPress service by including files that disrupt PHP execution. Pivots to broader host compromise if sensitive credentials obtained from local files grant access to adjacent systems.

Back to search

HIGHCVE-2026-40721Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-40721: WordPress Element Pack Pro plugin <= 9.0.6 - Local File Inclusion vulnerability

Q: What is CVE-2026-40721?

A local file inclusion vulnerability affects the Element Pack Pro WordPress plugin at version 9.0.6 and earlier. The vulnerability is reachable over the network and requires a low-privilege account (Contributor level), allowing an attacker to force the server to load arbitrary local files. Successful exploitation gives the attacker full read, write, and availability impact on the affected host, including the ability to read sensitive files, tamper with content, and disrupt service. No fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as upstream ships one.

Q: Is CVE-2026-40721 patched?

Because no upstream fix version has been published, HarborGuard re-checks the Patchstack advisory and upstream plugin repository on every ingest cycle. The moment a patched version is released, a rebuilt image at that version becomes available, and customers with auto-remediation enabled will receive a rebuild, a regression test run, and a PR opened against affected workloads automatically.

Contributor Local File Inclusion in Element Pack Pro <= 9.0.6 versions.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A local file inclusion vulnerability affects the Element Pack Pro WordPress plugin at version 9.0.6 and earlier. The vulnerability is reachable over the network and requires a low-privilege account (Contributor level), allowing an attacker to force the server to load arbitrary local files. Successful exploitation gives the attacker full read, write, and availability impact on the affected host, including the ability to read sensitive files, tamper with content, and disrupt service. No fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as upstream ships one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against all customer images, including custom-built images that bundle Element Pack Pro. Any image carrying an affected version of the plugin is flagged automatically in both registry scans and CI/CD pipeline checks.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 HIGH and weighting it against each customer environment's compliance policy to prioritize appropriately. Triage findings can be routed to the correct team inbox within each customer organization based on configured policy rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the Patchstack advisory and upstream plugin repository on every ingest cycle. The moment a patched version is released, a rebuilt image at that version becomes available, and customers with auto-remediation enabled will receive a rebuild, a regression test run, and a PR opened against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress installation over the network; the vulnerable plugin endpoint is exposed via standard HTTP/HTTPS requests.
AuthenticationRequired
A low-privilege account at Contributor level or above is sufficient; no administrative or editorial access is needed.
Victim interactionNot required
No action from another user or an administrator is needed to trigger the vulnerability.
Attack complexityDetail
Exploitation involves high complexity, meaning specific conditions such as particular server configurations or race conditions must be met for the attack to succeed reliably.

Blast Radius

Reads arbitrary local files on the server, including WordPress configuration files that contain database credentials and secret keys.
Modifies content or configuration on the host by chaining file inclusion with writable locations or uploaded payloads.
Crashes or destabilizes the WordPress service by including files that disrupt PHP execution.
Pivots to broader host compromise if sensitive credentials obtained from local files grant access to adjacent systems.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-40721 is active and matches any image containing Element Pack Pro at version 9.0.6 or earlier. Because no upstream fix exists at this time, the recommended immediate action is to apply network-policy controls that restrict which users can reach the affected WordPress installation, enforce strict file-permission hardening on the server to limit which paths PHP can include, and consider disabling the Element Pack Pro plugin or gating contributor-level access until a patch is available. HarborGuard re-checks the Patchstack advisory on every ingest cycle; once a fix version is published, a patched-image rebuild becomes available automatically. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated as soon as a fix version is confirmed.

See how HarborGuard automates this

Affected packages

BdThemes / Element Pack Pro
≤ 9.0.6

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified