Impact
The vulnerability allows attackers to upload arbitrary files to the WordPress site because the plugin does not validate file types. An attacker could upload a malicious script that would then execute in the server context, leading to full compromise of the website, data theft, or defacement. The flaw enables code execution and supplies the attacker with persistent access.
Affected Systems
Studio Keren Aga LTD.'s Unlimited Elements for Elementor (Premium) plugin versions 2.0.6 and earlier on WordPress installations are affected. No specific WordPress or server versions are listed, but the vulnerability exists in any setup running 2.0.6 or older.
Risk and Exploitability
The CVSS score of 9.9 marks the flaw as critical. No EPSS score is available, so the current exploitation probability is unknown. The vulnerability is not listed in CISA's KEV catalog. The plugin’s upload feature can be accessed by users with contributor role or higher, indicating that authenticated users could exploit it, and if role restrictions are lax, even unauthenticated users might reach it. Successful exploitation would give the attacker full server-side code execution.
OpenCVE Enrichment