WordPress Plugin Vulnerabilities

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) < 1.5.103 - Admin+ Command Injection

Description

The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to command injection in all versions up to, and including, 1.5.102. This is due to insufficient filtering of template attributes during the creation of HTML for custom widgets This makes it possible for authenticated attackers, with administrator-level access and above, to execute arbitrary commands on the server.

Affects Plugins

Plugin icon
unlimited-elements-for-elementor
Fixed in 1.5.103

References

CVE
CVE-2024-2662
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/58492dbb-b9e0-4477-b85d-ace06dba954c

Classification

Type
COMMAND INJECTION
OWASP top 10
A1: Injection
CWE
CWE-78
CVSS
6.6 (medium)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
fe02b7e7-903a-46ff-b4a1-4c3f55f627b8

Timeline

Publicly Published
2024-05-09 (about 2 years ago)
Added
2024-05-09 (about 2 years ago)
Last Updated
2024-10-01 (about 1 year ago)

Other

Published
Title
Published
2023-10-05
Title
Newsletter Lite < 4.9.3 - Admin+ Command Injection
Published
2024-08-23
Title
Appointment Booking Calendar < 1.6.7.43 - Admin+ Template Injection to RCE
Published
2025-03-25
Title
Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid < 1.17.0 - Authenticated (Admin+) Command Injection
Published
2022-10-18
Title
ImageMagick-Engine < 1.7.6 - Command Injection via CSRF
Published
2026-02-17
Title
Popup Box – Easily Create WordPress Popups < 3.2.13 - Authenticated (Contributor+) Stored Cross-Site Scripting