CVE-2026-4659: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in unitecms Unlimited Elements For Elementor
The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Arbitrary File Read via the Repeater JSON/CSV URL parameter in versions up to, and including, 2.0.6. This is due to insufficient path traversal sanitization in the URLtoRelative() and urlToPath() functions, combined with the ability to enable debug output in widget settings. The URLtoRelative() function only performs a simple string replacement to remove the site's base URL without sanitizing path traversal sequences (../), and the cleanPath() function only normalizes directory separators without removing traversal components. This allows an attacker to provide a URL like http://site.com/../../../../etc/passwd which, after URLtoRelative() strips the domain, results in /../../../../etc/passwd being concatenated with the base path and ultimately resolved to /etc/passwd. This makes it possible for authenticated attackers with Author-level access and above to read arbitrary local files from the WordPress host, including sensitive files such as wp-config.
AI Analysis
Technical Summary
The Unlimited Elements for Elementor plugin suffers from a path traversal vulnerability due to improper sanitization in the URLtoRelative() and urlToPath() functions. These functions fail to remove or neutralize '../' sequences in URLs, allowing attackers to craft URLs that traverse directories outside the intended scope. When debug output is enabled, an authenticated user with Author-level privileges can exploit this flaw via the Repeater JSON/CSV URL parameter to read arbitrary files on the WordPress host filesystem, including sensitive configuration files. The vulnerability is present in versions up to and including 2.0.6.
Potential Impact
An attacker with Author-level or higher privileges can read arbitrary local files on the WordPress server, potentially exposing sensitive information such as database credentials stored in wp-config.php. This compromises confidentiality but does not affect integrity or availability. The CVSS score is 7.5 (high severity), reflecting the significant confidentiality impact and the requirement for authenticated access.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, restrict Author-level access to trusted users only and consider disabling debug output in widget settings to reduce exposure. Monitor official vendor channels for updates and apply any official fixes once released.
CVE-2026-4659: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in unitecms Unlimited Elements For Elementor
Description
The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Arbitrary File Read via the Repeater JSON/CSV URL parameter in versions up to, and including, 2.0.6. This is due to insufficient path traversal sanitization in the URLtoRelative() and urlToPath() functions, combined with the ability to enable debug output in widget settings. The URLtoRelative() function only performs a simple string replacement to remove the site's base URL without sanitizing path traversal sequences (../), and the cleanPath() function only normalizes directory separators without removing traversal components. This allows an attacker to provide a URL like http://site.com/../../../../etc/passwd which, after URLtoRelative() strips the domain, results in /../../../../etc/passwd being concatenated with the base path and ultimately resolved to /etc/passwd. This makes it possible for authenticated attackers with Author-level access and above to read arbitrary local files from the WordPress host, including sensitive files such as wp-config.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Unlimited Elements for Elementor plugin suffers from a path traversal vulnerability due to improper sanitization in the URLtoRelative() and urlToPath() functions. These functions fail to remove or neutralize '../' sequences in URLs, allowing attackers to craft URLs that traverse directories outside the intended scope. When debug output is enabled, an authenticated user with Author-level privileges can exploit this flaw via the Repeater JSON/CSV URL parameter to read arbitrary files on the WordPress host filesystem, including sensitive configuration files. The vulnerability is present in versions up to and including 2.0.6.
Potential Impact
An attacker with Author-level or higher privileges can read arbitrary local files on the WordPress server, potentially exposing sensitive information such as database credentials stored in wp-config.php. This compromises confidentiality but does not affect integrity or availability. The CVSS score is 7.5 (high severity), reflecting the significant confidentiality impact and the requirement for authenticated access.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, restrict Author-level access to trusted users only and consider disabling debug output in widget settings to reduce exposure. Monitor official vendor channels for updates and apply any official fixes once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-23T16:01:46.932Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e1dae182d89c981f9ddcbd
Added to database: 4/17/2026, 7:01:53 AM
Last enriched: 4/17/2026, 7:16:57 AM
Last updated: 4/21/2026, 2:50:27 AM
Views: 26
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.