Stored Cross-Site Scripting Vulnerability in Unlimited Elements for Elementor Plugin by WordPress
CVE-2026-2724

7.2HIGH

Key Information:

Vendor: WordPress
Status: Unlimited Elements For Elementor
Vendor: CVE Published:; 10 March 2026

What is CVE-2026-2724?

The Unlimited Elements for Elementor plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability, which arises from inadequate input sanitization and output escaping in form submission data. This vulnerability is present in all versions up to and including 2.0.5, allowing unauthenticated attackers to potentially inject malicious scripts. These scripts can execute when an administrator views the trashed form entries, posing significant risks to site security and admin integrity.

Affected Version(s)

Unlimited Elements For Elementor 0 <= 2.0.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/unlimited-elem...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2026
Vulnerability Reserved
Feb 18, 2026

Credit

Athiwat Tiprasaharn

Itthidej Aramsri

Tharadol Suksamran

CVE-2026-2724 Data

JSON