Arbitrary File Read Vulnerability in Unlimited Elements for Elementor Plugin by WordPress
CVE-2026-4659

7.5HIGH

Key Information:

Vendor: WordPress
Status: Unlimited Elements For Elementor
Vendor: CVE Published:; 17 April 2026

What is CVE-2026-4659?

The Unlimited Elements for Elementor plugin has a vulnerability that allows authenticated users with Author-level access or higher to read arbitrary files on the server. This security issue arises from inadequate sanitization in the path traversal functions, particularly in URLtoRelative() and urlToPath(). The functions fail to sufficiently clean up input, making it possible for attackers to exploit this flaw using specially crafted URLs. By executing requests with malicious parameters, attackers can gain access to sensitive files, such as the wp-config file, leading to serious implications for data integrity and site security.

Affected Version(s)

Unlimited Elements For Elementor 0 <= 2.0.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/unlimited-elem...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2026
Vulnerability Reserved
Mar 23, 2026

Credit

Dmitrii Ignatyev

CVE-2026-4659 Data

JSON