{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8603", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-05T17:47:28.023Z", "datePublished": "2025-08-28T03:42:44.078Z", "dateUpdated": "2026-04-08T16:48:31.729Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:31.729Z"}, "affected": [{"vendor": "unitecms", "product": "Unlimited Elements For Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.5.148", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 1.5.148 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Unlimited Elements For Elementor <= 1.5.148 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/40f0510a-06e3-40a9-9b93-0296f524f94a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/assets_libraries/unitegallery/js/unitegallery.min.js"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3349280%40unlimited-elements-for-elementor&new=3349280%40unlimited-elements-for-elementor&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "timeline": [{"time": "2025-08-27T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-28T13:37:53.198008Z", "id": "CVE-2025-8603", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-28T14:49:25.800Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8603", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-28T13:37:53.198008Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-28T13:38:05.510Z"}}], "cna": {"title": "Unlimited Elements For Elementor <= 1.5.148 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "unitecms", "product": "Unlimited Elements For Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.5.148"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-27T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/40f0510a-06e3-40a9-9b93-0296f524f94a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/assets_libraries/unitegallery/js/unitegallery.min.js"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3349280%40unlimited-elements-for-elementor&new=3349280%40unlimited-elements-for-elementor&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 1.5.148 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:31.729Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8603", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:48:31.729Z", "dateReserved": "2025-08-05T17:47:28.023Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-28T03:42:44.078Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 1.5.148 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-8603", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-28T04:16:02.490", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/assets_libraries/unitegallery/js/unitegallery.min.js"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3349280%40unlimited-elements-for-elementor&new=3349280%40unlimited-elements-for-elementor&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/40f0510a-06e3-40a9-9b93-0296f524f94a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:20:35.303092+00:00", "value": {"mitigation_remediation": ["Upgrade the Unlimited Elements For Elementor plugin to version\u202f1.5.149 or later to remove the flaw.", "If an immediate upgrade is not feasible, disable or delete the widgets that permit script injection and review existing pages for malicious content.", "Reduce the number of users with Contributor or higher roles and monitor role assignments to limit the attack surface."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "This flaw affects all installations of Unlimited Elements For Elementor up to and including version\u202f1.5.148 on WordPress sites. Administrators should verify the plugin version used and consider an upgrade if newer releases are available.", "description_and_impact": "The vulnerability resides in the Unlimited Elements For Elementor plugin for WordPress. Insufficient input sanitization and output escaping in several widgets allow an authenticated attacker with Contributor role or higher to embed arbitrary JavaScript. When an injected page is viewed, the script runs in the victim\u2019s browser, enabling cookie theft, session hijack or site defacement.", "risk_and_exploitability": "The CVSS base score of 6.4 indicates a moderate severity. The EPSS score of <\u202f1\u202f% means that the probability of exploitation is very low at present, and the vulnerability is not listed in CISA\u2019s KEV catalog. Attackers must first acquire Contributor\u2011level access to the site; legitimate users of that role can then edit pages or widgets to inject the malicious code. Successful exploitation results in client\u2011side scripting that can target any visitor of the affected page."}}}}, "created": "2026-04-21T03:30:26.331377+00:00", "updated": "2026-04-21T03:30:26.331395+00:00", "vendors": []}