{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2724", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-18T21:34:56.606Z", "datePublished": "2026-03-10T09:58:58.447Z", "dateUpdated": "2026-04-08T16:58:31.816Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:31.816Z"}, "affected": [{"vendor": "unitecms", "product": "Unlimited Elements For Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form entry fields in all versions up to, and including, 2.0.5. This is due to insufficient input sanitization and output escaping on form submission data displayed in the admin Form Entries Trash view. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the trashed form entries."}], "title": "Unlimited Elements For Elementor <= 2.0.5 - Unauthenticated Stored Cross-Site Scripting via Form Entry Fields", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/68d4aa8c-70f9-46ba-92ce-fbb427954e86?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/tags/2.0.5/views/objects/form_entries_view.class.php#L336"}, {"url": "https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/views/objects/form_entries_view.class.php#L336"}, {"url": "https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/tags/2.0.5/inc_php/unitecreator_form.class.php#L1151"}, {"url": "https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php#L1151"}, {"url": "https://plugins.trac.wordpress.org/changeset/3470240/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php?old=3403331&old_path=unlimited-elements-for-elementor%2Ftrunk%2Finc_php%2Funitecreator_form.class.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}, {"lang": "en", "type": "finder", "value": "Tharadol Suksamran"}], "timeline": [{"time": "2026-03-09T21:26:51.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T15:57:52.637981Z", "id": "CVE-2026-2724", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T16:51:22.615Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2724", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T15:57:52.637981Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T15:57:54.048Z"}}], "cna": {"title": "Unlimited Elements For Elementor <= 2.0.5 - Unauthenticated Stored Cross-Site Scripting via Form Entry Fields", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}, {"lang": "en", "type": "finder", "value": "Tharadol Suksamran"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "unitecms", "product": "Unlimited Elements For Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-09T21:26:51.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/68d4aa8c-70f9-46ba-92ce-fbb427954e86?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/tags/2.0.5/views/objects/form_entries_view.class.php#L336"}, {"url": "https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/views/objects/form_entries_view.class.php#L336"}, {"url": "https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/tags/2.0.5/inc_php/unitecreator_form.class.php#L1151"}, {"url": "https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php#L1151"}, {"url": "https://plugins.trac.wordpress.org/changeset/3470240/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php?old=3403331&old_path=unlimited-elements-for-elementor%2Ftrunk%2Finc_php%2Funitecreator_form.class.php"}], "descriptions": [{"lang": "en", "value": "The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form entry fields in all versions up to, and including, 2.0.5. This is due to insufficient input sanitization and output escaping on form submission data displayed in the admin Form Entries Trash view. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the trashed form entries."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:31.816Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2724", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:58:31.816Z", "dateReserved": "2026-02-18T21:34:56.606Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-10T09:58:58.447Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form entry fields in all versions up to, and including, 2.0.5. This is due to insufficient input sanitization and output escaping on form submission data displayed in the admin Form Entries Trash view. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the trashed form entries."}, {"lang": "es", "value": "El plugin Unlimited Elements for Elementor para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de los campos de entrada del formulario en todas las versiones hasta la 2.0.5, inclusive. Esto se debe a una sanitizaci\u00f3n de entrada insuficiente y a un escape de salida insuficiente en los datos de env\u00edo del formulario mostrados en la vista 'Form Entries Trash' del administrador. Esto permite a atacantes no autenticados inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un administrador vea las entradas de formulario en la papelera."}], "id": "CVE-2026-2724", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-10T18:18:48.757", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/tags/2.0.5/inc_php/unitecreator_form.class.php#L1151"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/tags/2.0.5/views/objects/form_entries_view.class.php#L336"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php#L1151"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/views/objects/form_entries_view.class.php#L336"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3470240/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php?old=3403331&old_path=unlimited-elements-for-elementor%2Ftrunk%2Finc_php%2Funitecreator_form.class.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/68d4aa8c-70f9-46ba-92ce-fbb427954e86?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.5]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Unlimited Elements For Elementor", "source": "cna", "vendor": "unitecms"}, "product": "unlimited_elements_for_elementor", "vendor": "unitecms"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T19:47:51.034952+00:00", "value": {"mitigation_remediation": ["Upgrade the Unlimited Elements for Elementor plugin to any version newer than 2.0.5 that contains the XSS fix", "As an interim measure, delete or disable all stored form entries that contain user\u2011supplied data to remove embedded scripts", "Enforce strict input validation and output escaping in any custom code that processes form data to prevent similar XSS vulnerabilities"], "summary": {"action": "Patch Upgrade", "impact": "Stored Cross\u2011Site Scripting that executes in an administrator\u2019s browser"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Unlimited Elements for Elementor plugin in any version up to and including 2.0.5 are affected. The plugin is provided by the vendor unitecms under the product name Unlimited Elements For Elementor. No other WordPress core versions or plugins are impacted according to the current data.", "description_and_impact": "The Unlimited Elements for Elementor plugin stores data submitted through its form fields and later displays that data in the admin Trash view without sufficient input sanitization or output escaping. This flaw is a classic stored cross\u2011site scripting vulnerability (CWE\u201179). When a malicious actor submits a form containing crafted scripts, those scripts remain hidden until an administrator opens the trash view, where they are rendered and executed in the administrator\u2019s browser. The impact includes credential theft, defacement, or launching further attacks against the site.", "risk_and_exploitability": "The vulnerability has a CVSS score of 7.2, indicating high severity, and an EPSS score below 1%, suggesting a relatively low probability of exploitation in the general ecosystem. The likely attack vector is unauthenticated submission of a malicious form entry, followed by authenticated viewing of the trash view by an administrator. The flaw is not listed in the CISA KEV catalog. Despite the low exploitation likelihood, the high potential impact warrants a high\u2011priority response."}}}}, "created": "2026-03-11T11:50:23.874388+00:00", "updated": "2026-04-15T20:00:06.601469+00:00", "vendors": ["unitecms", "unitecms$PRODUCT$unlimited_elements_for_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}