WordPress Plugin Vulnerabilities

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) < 1.5.122 - Authenticated (Editor+) Remote Code Execution

Description

The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.5.121 via the template engine. This is due to the plugin not properly restricting functions that can be called and passed to code execution functions. This makes it possible for authenticated attackers, with Editor-level access and above, to execute code on the server.

Affects Plugins

Plugin icon
unlimited-elements-for-elementor
Fixed in 1.5.122

References

CVE
CVE-2024-49271
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/bf8d34ea-cf05-4b20-9d1c-8cf0c608dfc3

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Hakiduck
Verified
No
WPVDB ID
880e8757-eb4f-420f-9247-f0526914c99a

Timeline

Publicly Published
2024-10-14 (about 1 year ago)
Added
2024-10-22 (about 1 year ago)
Last Updated
2024-10-22 (about 1 year ago)

Other

Published
Title
Published
2025-08-14
Title
Add Custom Codes < 5.0 - Authenticated (Contributor+) Remote Code Execution
Published
2026-05-01
Title
Widget Options < 4.2.3 - Contributor+ Remote Code Execution via Display Logic
Published
2023-08-28
Title
Import XML and RSS Feeds < 2.1.4 - Admin+ Arbitrary File Upload
Published
2024-12-12
Title
Simple Link Directory < 8.4.6 - Unauthenticated Arbitrary Shortcode Execution
Published
2023-11-07
Title
Rename Media Files <= 1.0.1 - Authenticated (Contributor+) Remote Code Execution