Description
The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 1.5.142 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-04-03
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

The Unlimited Elements For Elementor plugin contains insufficient input sanitization and output escaping in several widgets, allowing authenticated users with Contributor‑level access or higher to store malicious scripts in pages. When an affected page is viewed, the embedded script runs in the victim's browser, enabling session hijacking, credential theft, or defacement. The flaw is a classic stored XSS and is identified as CWE‑79.

Affected Systems

WordPress sites using the UniteCMS Unlimited Elements For Elementor plugin, versions 1.5.142 and earlier, are affected. The plugin runs as a WordPress extension and is publicly available from the WordPress plugin repository.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, while the EPSS score of less than 1% points to a very low likelihood of exploitation at the time of analysis. The flaw is not listed in CISA’s Known Exploited Vulnerabilities catalog. Exploitation requires that the attacker be able to authenticate to the WordPress backend with at least Contributor privileges, after which they can insert a malicious payload into a page or widget that will be served to all site visitors. Because the attack vector is limited to authenticated users, the risk is contained to sites that have exposed WordPress admin access.

Generated by OpenCVE AI on April 20, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Unlimited Elements For Elementor plugin to version 1.5.143 or later, which includes input sanitization and output escaping fixes.
  • If an upgrade is not immediately possible, remove or disable the vulnerable widgets that accept user input to prevent new malicious content from being stored.
  • Review existing pages and widgets for injected scripts and delete or clean any malicious code that was previously saved.

Generated by OpenCVE AI on April 20, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9591 The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 1.5.142 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Thu, 10 Apr 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Unlimited-elements
Unlimited-elements unlimited Elements For Elementor
CPEs cpe:2.3:a:unlimited-elements:unlimited_elements_for_elementor:*:*:*:*:*:wordpress:*:*
Vendors & Products Unlimited-elements
Unlimited-elements unlimited Elements For Elementor

Thu, 03 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 03 Apr 2025 07:30:00 +0000

Type Values Removed Values Added
Description The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 1.5.142 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Unlimited Elements For Elementor <= 1.5.142 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Unlimited-elements Unlimited Elements For Elementor
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:24:52.435Z

Reserved: 2025-02-24T20:44:44.297Z

Link: CVE-2025-1663

cve-icon Vulnrichment

Updated: 2025-04-03T13:30:06.560Z

cve-icon NVD

Status : Analyzed

Published: 2025-04-03T08:15:14.693

Modified: 2025-04-10T14:02:22.313

Link: CVE-2025-1663

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:30:16Z

Weaknesses