Description
The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Arbitrary File Read via the Repeater JSON/CSV URL parameter in versions up to, and including, 2.0.6. This is due to insufficient path traversal sanitization in the URLtoRelative() and urlToPath() functions, combined with the ability to enable debug output in widget settings. The URLtoRelative() function only performs a simple string replacement to remove the site's base URL without sanitizing path traversal sequences (../), and the cleanPath() function only normalizes directory separators without removing traversal components. This allows an attacker to provide a URL like http://site.com/../../../../etc/passwd which, after URLtoRelative() strips the domain, results in /../../../../etc/passwd being concatenated with the base path and ultimately resolved to /etc/passwd. This makes it possible for authenticated attackers with Author-level access and above to read arbitrary local files from the WordPress host, including sensitive files such as wp-config.
Published: 2026-04-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Patch Now
AI Analysis

Impact

Unlimited Elements for Elementor, a WordPress plugin, contains a path traversal flaw in the Repeater JSON/CSV URL processing. The vulnerability allows an authenticated attacker with Author-level or higher access to craft a URL such as http://site.com/../../../../etc/passwd, causing the plugin to resolve the path to a sensitive local file and return its contents. The flaw is defined as CWE‑22 and enables the attacker to read arbitrary files, including WordPress configuration and credential files, thereby compromising confidentiality.

Affected Systems

The issue impacts all installations of the Unlimited Elements for Elementor plugin for WordPress through version 2.0.6, regardless of the WordPress core version. Users running any 2.0.6 or earlier release are susceptible, especially if they have contributed or higher privileges and have debug output enabled in widget settings.

Risk and Exploitability

The CVSS score of 7.5 denotes moderate–high severity, while the EPSS score is currently unavailable, indicating insufficient data on current exploitation trends. Because exploitation requires a valid author‑level login and the ability to supply an arbitrary URL, the risk is significant in multi‑user sites or sites with loosely controlled plugin administration. The vulnerability is not listed in the CISA KEV catalog, but the path traversal weakness remains a classic, well‑known exploitation vector.

Generated by OpenCVE AI on April 17, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Unlimited Elements for Elementor plugin to version 2.0.7 or later, which removes the vulnerable URL handling logic.
  • If an upgrade cannot be performed immediately, restrict the plugin to users with Administrator privileges only, disable debug output in widget settings, and monitor for suspicious file‑read requests.
  • Apply strict file‑system permissions or disable direct file access to critical directories to mitigate the impact of any remaining traversal attempts.

Generated by OpenCVE AI on April 17, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/tags/2.0.6/inc_php/unitecreator_helper.class.php#L643 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/tags/2.0.6/inc_php/unitecreator_helper.class.php#L667 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/tags/2.0.6/inc_php/unitecreator_operations.class.php#L710 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/tags/2.0.6/provider/provider_helper.class.php#L597 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/tags/2.0.6/provider/provider_helper.class.php#L607 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_helper.class.php#L643 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_helper.class.php#L667 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_operations.class.php#L710 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/provider/provider_helper.class.php#L597 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/provider/provider_helper.class.php#L607 cve-icon cve-icon
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3504458%40unlimited-elements-for-elementor&new=3504458%40unlimited-elements-for-elementor&sfp_email=&sfph_mail= cve-icon cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/9e7e3763-4606-4fc4-aa0f-b67e6087bdc2?source=cve cve-icon cve-icon
History

Fri, 17 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Unitecms
Unitecms unlimited Elements For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Unitecms
Unitecms unlimited Elements For Elementor
Wordpress
Wordpress wordpress

Fri, 17 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Arbitrary File Read via the Repeater JSON/CSV URL parameter in versions up to, and including, 2.0.6. This is due to insufficient path traversal sanitization in the URLtoRelative() and urlToPath() functions, combined with the ability to enable debug output in widget settings. The URLtoRelative() function only performs a simple string replacement to remove the site's base URL without sanitizing path traversal sequences (../), and the cleanPath() function only normalizes directory separators without removing traversal components. This allows an attacker to provide a URL like http://site.com/../../../../etc/passwd which, after URLtoRelative() strips the domain, results in /../../../../etc/passwd being concatenated with the base path and ultimately resolved to /etc/passwd. This makes it possible for authenticated attackers with Author-level access and above to read arbitrary local files from the WordPress host, including sensitive files such as wp-config.
Title Unlimited Elements For Elementor <= 2.0.6 - Authenticated (Contributor+) Arbitrary File Read via Path Traversal in Repeater JSON/CSV URL with Path Traversal
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Unitecms Unlimited Elements For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-17T12:14:39.811Z

Reserved: 2026-03-23T16:01:46.932Z

Link: CVE-2026-4659

cve-icon Vulnrichment

Updated: 2026-04-17T12:14:35.500Z

cve-icon NVD

Status : Received

Published: 2026-04-17T07:16:01.967

Modified: 2026-04-17T07:16:01.967

Link: CVE-2026-4659

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T09:00:10Z

Weaknesses