VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 29 known issues Latest disclosed Apr 16, 2026

Unlimited Elements For Elementor Vulnerabilities

Review known vulnerability records for the WordPress plugin Unlimited Elements For Elementor (`unlimited-elements-for-elementor`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-4659, CVE-2026-2724 and CVE-2025-14274, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
29
High or Critical
12
Patch Coverage
100%
Last Updated
Apr 16, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Unlimited Elements For Elementor so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
29 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
2 critical and 10 high severity findings.
Recent CVEs
CVE-2026-4659, CVE-2026-2724 and CVE-2025-14274
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Unlimited Elements For Elementor

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2026-4659
Unlimited Elements For Elementor <= 2.0.6 - Authenticated (Contributor+) Arbitrary File Read via Path Traversal in Repeater JSON/CSV URL with Path Traversal

The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Arbitrary File Read via the Repeater JSON/CSV URL parameter in versions up to, and including, 2.0.6. This is due to insufficient path traversal sanitization in the URLtoRelative() and urlToPath() functions...

Published
Apr 16, 2026
Patched Release
2.0.7
Affected Versions
Versions up to 2.0.6
Next Step
Update to 2.0.7 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2026-2724
Unlimited Elements For Elementor <= 2.0.5 - Unauthenticated Stored Cross-Site Scripting via Form Entry Fields

The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form entry fields in all versions up to, and including, 2.0.5. This is due to insufficient input sanitization and output escaping on form submission data displayed in th...

Published
Mar 09, 2026
Patched Release
2.0.6
Affected Versions
Versions up to 2.0.5
Next Step
Update to 2.0.6 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-14274
Unlimited Elements for Elementor <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Border Hero Widget

The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Border Hero widget's Button Link field in versions up to 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied URLs. This makes it p...

Published
Feb 02, 2026
Patched Release
2.0.2
Affected Versions
Versions up to 2.0.1
Next Step
Update to 2.0.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-8603
Unlimited Elements For Elementor <= 1.5.148 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 1.5.148 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

Published
Aug 27, 2025
Patched Release
1.5.149
Affected Versions
Versions up to 1.5.148
Next Step
Update to 1.5.149 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-1663
Unlimited Elements For Elementor <= 1.5.142 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 1.5.142 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

Published
Apr 02, 2025
Patched Release
1.5.143
Affected Versions
Versions up to 1.5.142
Next Step
Update to 1.5.143 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-13155
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.140 - Authenticated (Contributor+) Stored Cross-Site Scripting via Transparent Split Hero Widget

The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Transparent Split Hero widget in all versions up to, and including, 1.5.140 due to insufficient input sanitization and output escaping on user supplied attribut...

Published
Feb 19, 2025
Patched Release
1.5.141
Affected Versions
Versions up to 1.5.140
Next Step
Update to 1.5.141 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-13153
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.135 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.5.135 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

Published
Jan 08, 2025
Patched Release
1.5.136
Affected Versions
Versions up to 1.5.135
Next Step
Update to 1.5.136 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-10784
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.126 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Tile Gallery' widget in all versions up to, and including, 1.5.126 due to insufficient input sanitization and output escaping. This ma...

Published
Dec 11, 2024
Patched Release
1.5.127
Affected Versions
Versions up to 1.5.126
Next Step
Update to 1.5.127 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2024-49271
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.121 - Authenticated (Editor+) Remote Code Execution

The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.5.121 via the template engine. This is due to the plugin not properly restricting functions that can be calle...

Published
Oct 14, 2024
Patched Release
1.5.122
Affected Versions
Versions up to 1.5.121
Next Step
Update to 1.5.122 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-45454
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.121 - Reflected Cross-Site Scripting

The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.5.121 due to insufficient input sanitization and output escaping. This makes it possible for unauthentic...

Published
Sep 30, 2024
Patched Release
1.5.122
Affected Versions
Versions up to 1.5.121
Next Step
Update to 1.5.122 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-6169
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.112 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'username'

The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘username’ parameter in all versions up to, and including, 1.5.112 due to insufficient input sanitization and output escaping. This mak...

Published
Jul 08, 2024
Patched Release
1.5.113
Affected Versions
Versions up to 1.5.112
Next Step
Update to 1.5.113 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-6170
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.112 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'email'

The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘email’ parameter in all versions up to, and including, 1.5.112 due to insufficient input sanitization and output escaping. This makes...

Published
Jul 08, 2024
Patched Release
1.5.113
Affected Versions
Versions up to 1.5.112
Next Step
Update to 1.5.113 or newer if supported.
Open Full Report Open CVE Reference