CVE-2026-2724 is a stored cross-site scripting vulnerability identified in the Unlimited Elements for Elementor plugin for WordPress, affecting all versions up to and including 2.0.5. The vulnerability stems from insufficient sanitization and escaping of user input submitted via form entry fields. Specifically, when form submission data is displayed in the admin Form Entries Trash view, malicious scripts embedded by an attacker can execute in the context of an administrator’s browser. This occurs because the plugin fails to properly neutralize input during web page generation, classified under CWE-79. The attack vector is remote and requires no authentication or user interaction, making it highly accessible to attackers. The vulnerability impacts confidentiality and integrity by enabling script execution that could lead to session hijacking, privilege escalation, or unauthorized actions within the WordPress admin interface. The CVSS 3.1 base score is 7.2, reflecting a high severity with network attack vector, low attack complexity, no privileges required, no user interaction, and scope change due to potential impact beyond the vulnerable component. No patches or exploit code are currently publicly available, but the risk remains significant given the plugin's popularity and the critical role of administrative access in WordPress environments.

The exploitation of this vulnerability could allow attackers to execute arbitrary JavaScript in the context of an administrator’s session, potentially leading to theft of admin credentials, session hijacking, or unauthorized administrative actions. This compromises the confidentiality and integrity of the affected WordPress sites. Since the vulnerability is stored XSS, malicious scripts persist and execute whenever an admin views the affected form entries, increasing the attack window. Organizations relying on Unlimited Elements for Elementor risk site defacement, data leakage, or further compromise of their web infrastructure. The lack of required authentication and user interaction lowers the barrier for exploitation, increasing the likelihood of attacks. This can disrupt business operations, damage reputation, and lead to regulatory compliance issues, especially for entities handling sensitive or personal data.

Organizations should immediately update the Unlimited Elements for Elementor plugin to a patched version once available. Until a patch is released, administrators should avoid accessing the Form Entries Trash view or implement strict access controls limiting admin interface exposure. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script payloads in form submissions can reduce risk. Additionally, security teams should audit and sanitize existing form entries to remove any malicious scripts. Implementing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regular monitoring of admin activities and logs for unusual behavior can aid in early detection of exploitation attempts. Finally, educating administrators about the risks of viewing untrusted form data can reduce inadvertent exposure.