Stored Cross-Site Scripting Vulnerability in Unlimited Elements for Elementor Plugin by WordPress
CVE-2025-14274

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Unlimited Elements For Elementor
Vendor: CVE Published:; 3 February 2026

What is CVE-2025-14274?

The Unlimited Elements for Elementor plugin for WordPress suffers from a vulnerability that allows for Stored Cross-Site Scripting (XSS) through the Button Link field of the Border Hero widget. This issue arises from inadequate input sanitization and output escaping of user-supplied URLs. Attackers with Contributor-level access or higher could exploit this vulnerability to inject arbitrary scripts into pages. These malicious scripts would execute in the browsers of users who access affected pages, potentially leading to data theft or user impersonation.

Affected Version(s)

Unlimited Elements For Elementor 0 <= 2.0.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/unlimited-elem...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 3, 2026
Vulnerability Reserved
Dec 8, 2025

Credit

D.Sim

CVE-2025-14274 Data

JSON