CVE-2024-2662

Published: May 14, 2024Modified: Apr 8, 2026

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: security@wordfence.com (Secondary)

Description

The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to command injection in all versions up to, and including, 1.5.102. This is due to insufficient filtering of template attributes during the creation of HTML for custom widgets This makes it possible for authenticated attackers, with administrator-level access and above, to execute arbitrary commands on the server.

Affected (1)

Products: Unlimited Elements: Unlimited Elements For Elementor

Unlimited Elements

1 product

Unlimited Elements For Elementor

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Unlimited Elements Unlimited Elements For Elementor	Before 1.5.103

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (4)

https://plugins.trac.wordpress.org/changeset/3071404/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_template_engine.class.php

Source: security@wordfence.com

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/58492dbb-b9e0-4477-b85d-ace06dba954c?source=cve

Source: security@wordfence.com

Third Party Advisory

https://plugins.trac.wordpress.org/changeset/3071404/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_template_engine.class.php

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/58492dbb-b9e0-4477-b85d-ace06dba954c?source=cve

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.