Plattform
wordpress
Komponente
unlimited-elements-for-elementor
Behoben in
2.0.7
2.0.7
CVE-2026-4659 is a Path Traversal vulnerability discovered in the Unlimited Elements for Elementor WordPress plugin. This vulnerability allows attackers to read arbitrary files on the server due to inadequate sanitization of path traversal sequences within the Repeater JSON/CSV URL parameter. Versions affected are those equal to or earlier than 2.0.6. A patch has been released in version 2.0.7.
The vulnerability stems from insufficient path traversal sanitization within the URLtoRelative() and urlToPath() functions, combined with the ability to enable debug output. An attacker can exploit this by crafting a malicious URL containing path traversal sequences (../) within the Repeater JSON/CSV URL parameter. Successful exploitation allows an attacker to bypass intended access controls and read files outside of the intended directory. This could lead to the exposure of configuration files, source code, or other sensitive data stored on the server. The debug output feature amplifies the risk by potentially revealing more information about the file system structure.
CVE-2026-4659 was publicly disclosed on 2026-04-16. No public proof-of-concept (PoC) code has been publicly released at the time of writing, but the vulnerability's nature makes it likely that PoCs will emerge. The vulnerability is not currently listed on the CISA KEV catalog. Given the ease of exploitation and the potential impact, it is considered a high-priority vulnerability to address.
WordPress websites utilizing the Unlimited Elements for Elementor plugin, particularly those running versions prior to 2.0.7, are at risk. Shared hosting environments where multiple users share the same server are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others. Sites with debugging enabled are also at increased risk.
• wordpress / composer / npm:
grep -r '../' /var/www/html/wp-content/plugins/unlimited-elements-for-elementor/*• generic web:
curl -I 'https://your-wordpress-site.com/wp-content/plugins/unlimited-elements-for-elementor/repeater.php?url=../../../../etc/passwd' # Check for file disclosuredisclosure
Exploit-Status
EPSS
0.04% (12% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade the Unlimited Elements for Elementor plugin to version 2.0.7 or later. If upgrading is not immediately feasible, consider disabling the Repeater feature within the Elementor plugin to reduce the attack surface. Additionally, ensure that debug output is disabled in widget settings to prevent information leakage. Web application firewalls (WAFs) configured to detect and block requests containing path traversal sequences can provide an additional layer of defense. Monitor WordPress access logs for suspicious requests containing '../' sequences targeting the Repeater JSON/CSV URL parameter.
Aktualisieren Sie auf Version 2.0.7 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-4659 is a vulnerability allowing attackers to read arbitrary files on a WordPress server using the Unlimited Elements for Elementor plugin. It's rated HIGH severity due to the potential for sensitive data exposure.
You are affected if you are using Unlimited Elements for Elementor version 2.0.6 or earlier. Check your plugin version and upgrade immediately if necessary.
Upgrade the Unlimited Elements for Elementor plugin to version 2.0.7 or later. As a temporary workaround, disable the Repeater feature if upgrading is not immediately possible.
There is no confirmed active exploitation of CVE-2026-4659 as of the last update, but the vulnerability is publicly known and could be targeted.
Refer to the official Unlimited Elements for Elementor plugin website or the WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.