Unlimited Elements for Elementor < 1.5.91 – Contributor+ Remote Code Execution via template import | CVE 2023-6743 | Plugin Vulnerabilities

Description

The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.5.89 via the template import functionality. This makes it possible for authenticated attackers, with contributor access and above, to execute code on the server.

Affects Plugins

unlimited-elements-for-elementor

Fixed in 1.5.91

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/25f71a19-85b1-4bc9-b193-d9de2eba81ee

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Nex Team

Verified

No

WPVDB ID

8c0db9a8-8094-4efb-bf21-4ee37f3d4491

Timeline

Publicly Published

2024-05-28 (about 1 year ago)

Added

2024-05-28 (about 1 year ago)

Last Updated

2024-05-28 (about 1 year ago)

Other

Published

Title

Published

2015-02-26

Title

WP All Import Pro <= 4.1.0 - RCE

Published

2024-12-03

Title

Authors List < 2.0.5 - Unauthenticated Arbitrary Shortcode Execution

Published

2018-11-11

Title

Simple Link Directory < 5.6.0 - Authenticated PHP Object Injection

Published

2024-05-23

Title

Email Log < 2.4.9 - Unauthenticated Hook Injection

Published

2024-10-13

Title

Contact Form by Supsystic < 1.7.29 - Authenticated (Admin+) Remote Code Execution