Description
Contributor Arbitrary File Upload in Unlimited Elements for Elementor (Premium) <= 2.0.6 versions.
Published: 2026-06-17
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows attackers to upload arbitrary files to the WordPress site because the plugin does not validate file types. An attacker could upload a malicious script that would then execute in the server context, leading to full compromise of the website, data theft, or defacement. The flaw enables code execution and supplies the attacker with persistent access.

Affected Systems

Studio Keren Aga LTD.'s Unlimited Elements for Elementor (Premium) plugin versions 2.0.6 and earlier on WordPress installations are affected. No specific WordPress or server versions are listed, but the vulnerability exists in any setup running 2.0.6 or older.

Risk and Exploitability

The CVSS score of 9.9 marks the flaw as critical. No EPSS score is available, so the current exploitation probability is unknown. The vulnerability is not listed in CISA's KEV catalog. The plugin’s upload feature can be accessed by users with contributor role or higher, indicating that authenticated users could exploit it, and if role restrictions are lax, even unauthenticated users might reach it. Successful exploitation would give the attacker full server-side code execution.

Generated by OpenCVE AI on June 18, 2026 at 12:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch or upgrade Unlimited Elements for Elementor (Premium) to version 2.0.7 or later.
  • If an upgrade is not immediately possible, disable the plugin or limit contributor access to prevent file uploads until patched.
  • Implement file type validation at the server or WordPress level, whitelisting allowed extensions and rejecting any non‑whitelisted uploads.

Generated by OpenCVE AI on June 18, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Studio Keren Aga Ltd.
Studio Keren Aga Ltd. unlimited Elements For Elementor (premium)
Wordpress
Wordpress wordpress
Vendors & Products Studio Keren Aga Ltd.
Studio Keren Aga Ltd. unlimited Elements For Elementor (premium)
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Contributor Arbitrary File Upload in Unlimited Elements for Elementor (Premium) <= 2.0.6 versions.
Title WordPress Unlimited Elements for Elementor (Premium) plugin <= 2.0.6 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Studio Keren Aga Ltd. Unlimited Elements For Elementor (premium)
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:33:20.660Z

Reserved: 2026-02-17T13:23:18.876Z

Link: CVE-2026-27041

cve-icon Vulnrichment

Updated: 2026-06-17T12:33:15.330Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:30Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type