CVE-2025-13692: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in unitecms Unlimited Elements for Elementor (Premium)
The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. A form with a file upload field must be created with the premium version of the plugin in order to exploit the vulnerability. However, once the form exists, the vulnerability is exploitable even if the premium version is deactivated and/or uninstalled.
AI Analysis
Technical Summary
CVE-2025-13692 is a stored cross-site scripting vulnerability classified under CWE-79, affecting the Unlimited Elements for Elementor (Premium) WordPress plugin up to version 2.0. The vulnerability stems from insufficient input sanitization and output escaping of SVG file uploads within forms created by the premium plugin. Attackers can upload malicious SVG files containing embedded JavaScript, which execute whenever a user accesses the affected page or SVG resource. Notably, exploitation requires that a form with a file upload field be created using the premium plugin; however, once such a form exists, the vulnerability persists even if the premium plugin is deactivated or uninstalled, increasing the attack surface. The vulnerability is remotely exploitable without authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), and impacts confidentiality and integrity by enabling script injection that can hijack user sessions, steal cookies, or perform unauthorized actions on behalf of users. Although no known exploits are currently in the wild, the high severity score (7.2) and ease of exploitation make this a critical concern for WordPress sites using this plugin. The lack of available patches at the time of disclosure necessitates immediate mitigation steps to reduce risk.
Potential Impact
For European organizations, especially those operating WordPress-based websites with the Unlimited Elements for Elementor plugin, this vulnerability poses a significant risk. Exploitation can lead to unauthorized script execution in the context of site visitors, potentially resulting in credential theft, session hijacking, defacement, or distribution of malware. This can damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR breaches due to compromised user data), and disrupt business operations. E-commerce platforms and sites handling sensitive user information are particularly vulnerable. The persistence of the vulnerability even after deactivation of the premium plugin increases the risk of unnoticed exploitation. Given the widespread use of WordPress across Europe, the vulnerability could affect a broad range of sectors including retail, finance, healthcare, and government services.
Mitigation Recommendations
1. Immediately audit WordPress sites for the presence of forms created with the premium Unlimited Elements for Elementor plugin that include file upload fields, especially those allowing SVG uploads. 2. Remove or disable any such forms until a patch is available. 3. Restrict or disable SVG file uploads entirely, as SVG files can contain executable scripts. 4. Implement Web Application Firewall (WAF) rules to detect and block malicious SVG payloads and suspicious file uploads. 5. Monitor web server logs for unusual access patterns to SVG files or unexpected script executions. 6. Educate site administrators about the risks of enabling file uploads without proper sanitization. 7. Once a patch or update is released by the vendor, apply it promptly and verify that the vulnerability is remediated. 8. Consider deploying Content Security Policy (CSP) headers to limit script execution sources and reduce XSS impact. 9. Regularly back up website data and configurations to enable quick recovery if exploitation occurs.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-13692: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in unitecms Unlimited Elements for Elementor (Premium)
Description
The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. A form with a file upload field must be created with the premium version of the plugin in order to exploit the vulnerability. However, once the form exists, the vulnerability is exploitable even if the premium version is deactivated and/or uninstalled.
AI-Powered Analysis
Technical Analysis
CVE-2025-13692 is a stored cross-site scripting vulnerability classified under CWE-79, affecting the Unlimited Elements for Elementor (Premium) WordPress plugin up to version 2.0. The vulnerability stems from insufficient input sanitization and output escaping of SVG file uploads within forms created by the premium plugin. Attackers can upload malicious SVG files containing embedded JavaScript, which execute whenever a user accesses the affected page or SVG resource. Notably, exploitation requires that a form with a file upload field be created using the premium plugin; however, once such a form exists, the vulnerability persists even if the premium plugin is deactivated or uninstalled, increasing the attack surface. The vulnerability is remotely exploitable without authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), and impacts confidentiality and integrity by enabling script injection that can hijack user sessions, steal cookies, or perform unauthorized actions on behalf of users. Although no known exploits are currently in the wild, the high severity score (7.2) and ease of exploitation make this a critical concern for WordPress sites using this plugin. The lack of available patches at the time of disclosure necessitates immediate mitigation steps to reduce risk.
Potential Impact
For European organizations, especially those operating WordPress-based websites with the Unlimited Elements for Elementor plugin, this vulnerability poses a significant risk. Exploitation can lead to unauthorized script execution in the context of site visitors, potentially resulting in credential theft, session hijacking, defacement, or distribution of malware. This can damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR breaches due to compromised user data), and disrupt business operations. E-commerce platforms and sites handling sensitive user information are particularly vulnerable. The persistence of the vulnerability even after deactivation of the premium plugin increases the risk of unnoticed exploitation. Given the widespread use of WordPress across Europe, the vulnerability could affect a broad range of sectors including retail, finance, healthcare, and government services.
Mitigation Recommendations
1. Immediately audit WordPress sites for the presence of forms created with the premium Unlimited Elements for Elementor plugin that include file upload fields, especially those allowing SVG uploads. 2. Remove or disable any such forms until a patch is available. 3. Restrict or disable SVG file uploads entirely, as SVG files can contain executable scripts. 4. Implement Web Application Firewall (WAF) rules to detect and block malicious SVG payloads and suspicious file uploads. 5. Monitor web server logs for unusual access patterns to SVG files or unexpected script executions. 6. Educate site administrators about the risks of enabling file uploads without proper sanitization. 7. Once a patch or update is released by the vendor, apply it promptly and verify that the vulnerability is remediated. 8. Consider deploying Content Security Policy (CSP) headers to limit script execution sources and reduce XSS impact. 9. Regularly back up website data and configurations to enable quick recovery if exploitation occurs.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-11-25T20:34:52.440Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69285b2504903f3285f53286
Added to database: 11/27/2025, 2:07:33 PM
Last enriched: 12/4/2025, 2:10:48 PM
Last updated: 1/11/2026, 8:19:11 PM
Views: 104
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-15506: Out-of-Bounds Read in AcademySoftwareFoundation OpenColorIO
MediumCVE-2026-0843: SQL Injection in jiujiujia jjjfood
MediumCVE-2026-0842: Missing Authentication in Flycatcher Toys smART Sketcher
MediumCVE-2026-0841: Buffer Overflow in UTT 进取 520W
HighCVE-2026-0840: Buffer Overflow in UTT 进取 520W
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.