A high-severity vulnerability has been identified in the Unlimited Elements For Elementor plugin for WordPress, affecting all versions up to and including 2. This flaw allows an attacker to inject malicious code into a website by uploading a specially crafted SVG image file, which can lead to website takeover, data theft, or redirection of visitors to malicious sites. Organizations using this plugin should update it immediately to prevent potential compromise.

The vulnerability is a Stored Cross-Site Scripting (XSS) flaw that exists because the plugin does not properly sanitize SVG files upon upload. An attacker with privileges to upload media files (such as a contributor or author) can craft an SVG file containing malicious JavaScript code. When this file is uploaded to the WordPress site and subsequently viewed or rendered in a browser by another user, particularly an administrator, the embedded script will execute within the context of that user's session, potentially leading to session hijacking, administrative account takeover, or the injection of further malware.

This vulnerability is rated as High severity with a CVSS score of 7.2. Successful exploitation could have a significant negative impact on the business. An attacker could gain full administrative control of the affected WordPress website, leading to website defacement, theft of sensitive customer or company data stored on the site, and reputational damage. The compromised website could also be used as a platform to distribute malware or launch phishing attacks against customers and visitors, creating further liability and loss of trust.

Immediate Action: Immediately update the Unlimited Elements For Elementor plugin to the latest version available (a version greater than 2) which contains the security patch for this vulnerability. If the plugin is no longer required for business operations, it should be deactivated and completely removed. Additionally, conduct a review of all WordPress security settings to ensure they align with best practices, particularly regarding user roles and file upload permissions.

Proactive Monitoring: Monitor web server and application logs for suspicious file upload activity, specifically focusing on SVG files from unexpected sources or users. Implement file integrity monitoring to detect unauthorized changes to plugin files or the creation of new, suspicious files in the web directory. Network traffic should be monitored for outbound connections to unknown or malicious domains, which could indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, consider implementing a Web Application Firewall (WAF) with rules designed to detect and block XSS payloads within file uploads. As a temporary measure, disable the ability for non-administrator users to upload files, or specifically disallow the uploading of SVG files through the WordPress media library until the plugin can be updated.

Public Exploit Available: false

Given the high severity (CVSS 7.2) of this vulnerability and the widespread use of WordPress, we strongly recommend that all organizations using the Unlimited Elements For Elementor plugin prioritize its update immediately. The risk of website compromise is substantial, as an attacker could gain full control over the site. Although this CVE is not currently on the CISA KEV list, its potential for widespread impact makes it a critical threat that requires immediate attention and remediation.