CVE-2026-2724

EUVD-2026-10482
The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form entry fields in all versions up to, and including, 2.0.5. This is due to insufficient input sanitization and output escaping on form submission data displayed in the admin Form Entries Trash view. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the trashed form entries.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
WordfenceCNA
7.2 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Common Weakness Enumeration
References
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/tags/2.0.5/inc_php/unitecreator_form.class.php#L1151
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/tags/2.0.5/views/objects/form_entries_view.class.php#L336
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php#L1151
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/views/objects/form_entries_view.class.php#L336
https://plugins.trac.wordpress.org/changeset/3470240/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php?old=3403331&old_path=unlimited-elements-for-elementor%2Ftrunk%2Finc_php%2Funitecreator_form.class.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/68d4aa8c-70f9-46ba-92ce-fbb427954e86?source=cve