CVE-2024-6171

The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 1.5.112 due to insufficient IP address validation and/or use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers  to bypass antispam functionality in the Form Builder widgets.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
WordfenceCNA
5.3 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 41%
VendorProductVersion
unlimited-elementsunlimited_elements_for_elementor_\(free_widgets\,_addons\,_templates\)
𝑥
≤ 1.5.112
unlimited-elementsunlimited_elements_for_elementor_\(free_widgets\,_addons\,_templates\)
𝑥
< 1.5.113
𝑥
= Vulnerable software versions
References
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/framework/functions.class.php#L3407
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php#L742
https://plugins.trac.wordpress.org/changeset/3112307/
https://www.wordfence.com/threat-intel/vulnerabilities/id/714acd7d-6d19-4087-bb27-b9a4ccbb678b?source=cve
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/framework/functions.class.php#L3407
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php#L742
https://plugins.trac.wordpress.org/changeset/3112307/
https://www.wordfence.com/threat-intel/vulnerabilities/id/714acd7d-6d19-4087-bb27-b9a4ccbb678b?source=cve