The Unlimited Elements for Elementor (Premium) WordPress plugin suffers from a stored cross-site scripting vulnerability (CWE-79) due to improper neutralization of input during web page generation. Specifically, SVG file uploads are not sufficiently sanitized or escaped, enabling unauthenticated attackers to inject arbitrary web scripts. Exploitation requires a form with a file upload field created by the premium plugin version, but the vulnerability remains exploitable even if the premium plugin is later deactivated or removed. This vulnerability affects all versions up to 2.0 and has a CVSS 3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating network attack vector, low attack complexity, no privileges or user interaction required, with impact on confidentiality and integrity but no availability impact. No known exploits in the wild have been reported, and no patch or remediation details are currently available.

Successful exploitation allows unauthenticated attackers to inject and execute arbitrary scripts in the context of users accessing the affected SVG files, potentially leading to data disclosure and integrity compromise. The vulnerability does not impact availability. The vulnerability persists even if the premium plugin is deactivated or uninstalled after the required form is created, increasing the risk window.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should avoid creating forms with file upload fields using the premium plugin version and consider removing any existing forms that enable SVG uploads. Monitoring for plugin updates from the vendor is recommended to apply any forthcoming patches promptly.