The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross‑Site Scripting via the Border Hero widget’s Button Link field. Because the plugin does not properly sanitize or escape user supplied URLs, an authenticated user with Contributor or higher privileges can embed arbitrary JavaScript that will run whenever a page containing the widget is viewed. This flaw is a classic input validation weakness identified as CWE‑79 and can lead to session hijacking, defacement, or execution of malicious payloads on victim browsers.

The affected product is the UniteCMS Unlimited Elements for Elementor WordPress plugin, specifically versions up to and including 2.0.1. Any WordPress site running these versions is susceptible when the Border Hero widget is used. Control of the site by a Contributor or higher level user enables exploitation.

The CVSS base score of 5.4 places it in the moderate range, and the EPSS score of less than 1% indicates a low probability of observed exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated Contributor+ user to modify the button link field in the widget; the malicious content is persisted to the database and executed for all site visitors. While the likelihood of exploitation is limited to sites with the vulnerable plugin and active contributor accounts, the potential impact on confidentiality and integrity of user sessions is significant.