Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.2
Unlimited Elements for Elementor plugin allows malicious scripts to run in WordPress admin
CVE-2026-2724
Summary
The Unlimited Elements for Elementor plugin on WordPress sites with version 2.0.5 or earlier can be exploited by attackers to inject malicious code that runs when administrators view trashed form entries. This can allow unauthorized access to sensitive data or other security risks. To protect your site, update the plugin to the latest version or remove it if you don't use it.
Original title
The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form entry fields in all versions up to, and including, 2.0.5. This is due to insuffic...
Original description
The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form entry fields in all versions up to, and including, 2.0.5. This is due to insufficient input sanitization and output escaping on form submission data displayed in the admin Form Entries Trash view. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the trashed form entries.
nvd CVSS3.1
7.2
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/tags...
- https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/tags...
- https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trun...
- https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trun...
- https://plugins.trac.wordpress.org/changeset/3470240/unlimited-elements-for-elem...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/68d4aa8c-70f9-46ba-92c...
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026