Unlimited Elements For Elementor < 2.0.6 – Unauthenticated Stored Cross-Site Scripting | CVE 2026-2724 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the form entry fields due to insufficient input sanitization and output escaping on form submission data displayed in the admin Form Entries Trash view. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the trashed form entries.

Affects Plugins

unlimited-elements-for-elementor

Fixed in 2.0.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/68d4aa8c-70f9-46ba-92ce-fbb427954e86

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Athiwat Tiprasaharn (Jitlada), Itthidej Aramsri (Boeing777), Tharadol Suksamran (d3kc4rt_1)

Verified

No

WPVDB ID

d64f04aa-c11c-4137-a05a-8037340da965

Timeline

Publicly Published

2026-03-09 (about 2 months ago)

Added

2026-03-09 (about 2 months ago)

Last Updated

2026-05-11 (about 1 day ago)

Other

Published

Title

Published

2025-02-03

Title

WP Project Manager < 2.6.23 - Admin+ Stored XSS

Published

2026-01-13

Title

Hide My WP <= 6.2.12 - Reflected Cross-Site Scripting

Published

2025-02-23

Title

Counters Block < 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-02-20

Title

Clio Grow < 1.0.1 - Admin+ Stored XSS

Published

2024-07-15

Title

Community Events < 1.5.1 - Admin+ Stored XSS