CVE-2025-13692 - Vulnerability Details

- Unlimited Elements For Elementor and Unlimited Elements For Elementor (Premium) <= 2.0 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload

Description

The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. A form with a file upload field must be created with the premium version of the plugin in order to exploit the vulnerability. However, once the form exists, the vulnerability is exploitable even if the premium version is deactivated and/or uninstalled.

Published: 2025-11-27

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Unlimited Elements For Elementor plugin contains a stored cross‑site scripting flaw in its handling of SVG file uploads. The lack of proper input sanitization and output escaping lets an attacker embed malicious JavaScript inside an SVG. When users view or download the compromised SVG, the code runs in the visitor’s browser, exposing the site to data theft, cookie hijacking, or further compromise. The weakness is categorized as CWE‑79.

Affected Systems

Both the free and premium editions of the UniteCMS Unlimited Elements For Elementor plugin are affected for all releases up to and including version 2.0. Any WordPress installation that relies on these editions and has a form with an SVG upload field is vulnerable. The flaw exists in the processing logic within the form handling component of the plugin.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.2, denoting a high impact risk, yet the EPSS score is less than 1 %, indicating a very low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. An attacker can exploit the issue without authentication by uploading a crafted SVG through an existing form. Once stored, the script executes for every user who accesses the SVG, even after the premium plugin is deactivated or removed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

unitecms

Unlimited Elements for Elementor (Premium)

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.0

unitecms

Unlimited Elements For Elementor

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.0

No data.

Vendor	Product	Confidence	Versions
Elementor	Elementor	—	—
Unlimited-elements	Unlimited Elements For Elementor	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Unlimited Elements For Elementor to any release beyond version 2.0, as earlier versions contain the stored XSS flaw.
If the plugin is no longer needed, uninstall it completely or disable its file‑upload feature to prevent SVG uploads.
Deploy a web application firewall rule or adjust server configuration to block or sanitize SVG file uploads, ensuring that only safe file types are accepted.

Generated by OpenCVE AI on April 21, 2026 at 01:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00181.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_filters_process.class.php#L3279
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php#L1952
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php#L1960
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php#L598
https://plugins.trac.wordpress.org/changeset/3403331/
https://unlimited-elements.com/change-log/
https://www.wordfence.com/threat-intel/vulnerabilities/id/ae603b13-dc09-4f83-8741-943d62615b3c?source=cve

History

Thu, 04 Dec 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 28 Nov 2025 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Elementor Elementor elementor Unlimited-elements Unlimited-elements unlimited Elements For Elementor Wordpress Wordpress wordpress
Vendors & Products		Elementor Elementor elementor Unlimited-elements Unlimited-elements unlimited Elements For Elementor Wordpress Wordpress wordpress

Thu, 27 Nov 2025 14:00:00 +0000

Type	Values Removed	Values Added
Description		The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. A form with a file upload field must be created with the premium version of the plugin in order to exploit the vulnerability. However, once the form exists, the vulnerability is exploitable even if the premium version is deactivated and/or uninstalled.
Title		Unlimited Elements For Elementor and Unlimited Elements For Elementor (Premium) <= 2.0 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_filters_process.class.php#L3279 https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php#L1952 https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php#L1960 https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php#L598 https://plugins.trac.wordpress.org/changeset/3403331/ https://unlimited-elements.com/change-log/ https://www.wordfence.com/threat-intel/vulnerabilities/id/ae603b13-dc09-4f83-8741-943d62615b3c?source=cve
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Elementor Elementor

Unlimited-elements Unlimited Elements For Elementor

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-11-27T13:53:13.430Z

Updated: 2026-04-08T17:15:22.510Z

Reserved: 2025-11-25T20:34:52.440Z

Link: CVE-2025-13692

Vulnrichment

Updated: 2025-12-04T14:18:24.862Z

NVD

Status : Deferred

Published: 2025-11-27T14:15:51.853

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13692

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T01:15:20Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object