Stored Cross-Site Scripting Vulnerability in Unlimited Elements for Elementor Plugin
CVE-2024-13155

5.4MEDIUM

Key Information:

Vendor

WordPress
Status
Unlimited Elements For Elementor
Vendor
CVE Published:
20 February 2025

What is CVE-2024-13155?

The Unlimited Elements for Elementor plugin in WordPress is affected by a Stored Cross-Site Scripting vulnerability due to improper input sanitization and output escaping in the Transparent Split Hero widget. Authenticated users, including those with contributor permissions or higher, may exploit this flaw to inject and execute malicious web scripts on pages viewed by other users. To mitigate this risk, users must manually delete and reinstall the affected widget, as the widget's code is not integrated into the main codebase.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Unlimited Elements For Elementor * <= 1.5.140

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://unlimited-elements.com/change-log/
https://wordpress.org/plugins/unlimited-elements-for-elem...

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

D.Sim
JSON
.