CVE-2025-10873: 
WordPress vulnerability analysis and mitigation

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in versions up to and including 1.4.2. The vulnerability was discovered and disclosed on November 23, 2024, with the identifier CVE-2024-10873. This security issue affects WordPress installations using the LA-Studio Element Kit for Elementor plugin (NVD).

The vulnerability exists in the loadtemplate function of the plugin, which allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary files on the server. This can lead to the execution of any PHP code contained within those files. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a serious security risk. The issue is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) (NVD).

The vulnerability can be exploited to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. This gives attackers significant control over the affected WordPress installation and could potentially lead to complete system compromise (NVD).

Website administrators should update the LA-Studio Element Kit for Elementor plugin to version 1.4.3 or later, which contains the security fix. A patch has been made available through the WordPress plugin repository (Wordfence).