Unlimited Elements for Elementor < 2.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Border Hero Widget | CVE 2025-14274 | Plugin Vulnerabilities

Description

The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Border Hero widget's Button Link field in versions up to 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

unlimited-elements-for-elementor

Fixed in 2.0.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/482c4986-3677-4754-992b-ea9be7573d2e

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

zer0gh0st

Verified

No

WPVDB ID

1e7cd54e-2f2e-466a-bd64-74df7190c313

Timeline

Publicly Published

2026-02-02 (about 3 months ago)

Added

2026-02-02 (about 3 months ago)

Last Updated

2026-02-03 (about 3 months ago)

Other

Published

Title

Published

2024-07-10

Title

Feeds for YouTube (YouTube video, channel, and gallery plugin) < 2.2.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

Published

2020-01-29

Title

Elementor Page Builder < 2.7.7 - Authenticated Stored XSS

Published

2024-11-21

Title

Control horas <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2021-07-05

Title

Calendar Event Multi View < 1.4.01 - Unauthenticated Reflected Cross-Site Scripting (XSS)

Published

2022-06-21

Title

LinkedIn Company Updates <= 1.5.3 - Admin+ Stored Cross-Site Scripting