Unlimited Elements For Elementor and Unlimited Elements For Elementor (Premium) < 2.0.1 – Unauthenticated Stored Cross-Site Scripting via SVG File Upload | CVE 2025-13692 | Plugin Vulnerabilities

Description

The plugins are vulnerable to Stored Cross-Site Scripting via SVG File uploads due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. A form with a file upload field must be created with the premium version of the plugin in order to exploit the vulnerability. However, once the form exists, the vulnerability is exploitable even if the premium version is deactivated and/or uninstalled.

Affects Plugins

unlimited-elements-for-elementor

Fixed in 2.0.1

unlimited-elements-for-elementor-premium

Fixed in 2.0.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ae603b13-dc09-4f83-8741-943d62615b3c

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

0xd4rk5id3, 0xVenus

Verified

No

WPVDB ID

f0e2656b-cace-4796-a81a-e9884a833522

Timeline

Publicly Published

2025-11-26 (about 5 months ago)

Added

2025-11-27 (about 5 months ago)

Last Updated

2025-11-27 (about 5 months ago)

Other

Published

Title

Published

2024-03-14

Title

Elements Plus! < 2.16.3 - Authenticated(Contributor+) Stored Cross-Site Scripting via widget links

Published

2026-01-06

Title

AD Sliding FAQ <= 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

Published

2023-08-18

Title

WP Docs < 2.0.0 - Reflected XSS

Published

2021-12-14

Title

Real WYSIWYG <= 0.0.2 - Reflected Cross-Site Scripting

Published

2023-01-11

Title

GamiPress – Vimeo integration < 1.0.9 - Contributor+ Stored XSS