CVE-2026-4659
Received Received - Intake
Arbitrary File Read in Unlimited Elements for Elementor Plugin

Publication date: 2026-04-17

Last updated on: 2026-04-17

Assigner: Wordfence

Description
The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Arbitrary File Read via the Repeater JSON/CSV URL parameter in versions up to, and including, 2.0.6. This is due to insufficient path traversal sanitization in the URLtoRelative() and urlToPath() functions, combined with the ability to enable debug output in widget settings. The URLtoRelative() function only performs a simple string replacement to remove the site's base URL without sanitizing path traversal sequences (../), and the cleanPath() function only normalizes directory separators without removing traversal components. This allows an attacker to provide a URL like http://site.com/../../../../etc/passwd which, after URLtoRelative() strips the domain, results in /../../../../etc/passwd being concatenated with the base path and ultimately resolved to /etc/passwd. This makes it possible for authenticated attackers with Author-level access and above to read arbitrary local files from the WordPress host, including sensitive files such as wp-config.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-17
Generated
2026-05-06
AI Q&A
2026-04-17
EPSS Evaluated
2026-05-05
NVD
CVE-2026-4659
EUVD
EUVD-2026-23380
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
unlimited_elements unlimited_elements_for_elementor to 2.0.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Unlimited Elements for Elementor plugin for WordPress has a vulnerability that allows an attacker to read arbitrary files on the server. This happens because the plugin does not properly sanitize path traversal sequences (like ../) in certain URL parameters. Specifically, the functions URLtoRelative() and urlToPath() fail to remove these sequences, allowing an attacker to craft a URL that accesses sensitive files on the server.

An attacker with Author-level access or higher can exploit this by using the Repeater JSON/CSV URL parameter combined with enabled debug output in widget settings to read files such as the WordPress configuration file (wp-config).


How can this vulnerability impact me? :

This vulnerability can allow an attacker with Author-level access or above to read arbitrary local files on the WordPress host. This includes sensitive files like wp-config.php, which may contain database credentials and other critical configuration information.

The exposure of such sensitive files can lead to further compromise of the website, including unauthorized access to the database, leakage of sensitive data, and potential site takeover.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows authenticated attackers with Author-level access and above to read arbitrary local files from the WordPress host, including sensitive files such as wp-config. This exposure of sensitive information could potentially lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding of sensitive data and prevention of unauthorized access.

However, the provided information does not explicitly detail the impact on compliance with these standards.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart