Platform
wordpress
Component
unlimited-elements-for-elementor
Fixed in
2.0.7
2.0.7
CVE-2026-4659 is a Path Traversal vulnerability discovered in the Unlimited Elements for Elementor WordPress plugin. This vulnerability allows attackers to read arbitrary files on the server due to inadequate sanitization of path traversal sequences within the Repeater JSON/CSV URL parameter. Versions affected are those equal to or earlier than 2.0.6. A patch has been released in version 2.0.7.
An attacker exploiting this vulnerability can leverage the Repeater JSON/CSV URL parameter to read sensitive files from the server's file system. The lack of proper path sanitization in the urlToRelative() and urlToPath() functions, combined with the ability to enable debug output, creates a pathway for attackers to bypass security controls. Successful exploitation could lead to the exposure of configuration files, database credentials, or other sensitive data. The potential impact extends beyond mere data disclosure; an attacker could potentially gain further access to the WordPress environment or even the underlying server.
CVE-2026-4659 was publicly disclosed on 2026-04-16. No public proof-of-concept (PoC) code has been identified as of this writing. The vulnerability is not currently listed on the CISA KEV catalog. The potential for exploitation is considered medium due to the relatively straightforward nature of path traversal vulnerabilities and the widespread use of the Elementor plugin.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
The primary mitigation for CVE-2026-4659 is to immediately upgrade the Unlimited Elements for Elementor plugin to version 2.0.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider disabling the Repeater feature within the plugin to reduce the attack surface. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious path traversal sequences in the Repeater URL parameter. Regularly review WordPress plugin configurations and disable debug mode to minimize the risk of information disclosure.
Update to version 2.0.7, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4659 is a vulnerability allowing attackers to read arbitrary files on a WordPress server using the Unlimited Elements for Elementor plugin. It's rated HIGH severity due to the potential for sensitive data exposure.
You are affected if you are using Unlimited Elements for Elementor version 2.0.6 or earlier. Check your plugin version and upgrade immediately if necessary.
Upgrade the Unlimited Elements for Elementor plugin to version 2.0.7 or later. As a temporary workaround, disable the Repeater feature if upgrading is not immediately possible.
There is no confirmed active exploitation of CVE-2026-4659 as of the last update, but the vulnerability is publicly known and could be targeted.
Refer to the official Unlimited Elements for Elementor plugin website or the WordPress plugin repository for the latest advisory and update information.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.