Unlimited Elements for Elementor reads arbitrary files (CVE-2026-4659)
CVE-2026-4659
The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Arbitrary File Read via the Repeater JSON/CSV URL parameter in versions up to, and including, 2.0.6. This is due to insuffici...
Overview
A high-severity vulnerability, CVE-2026-4659, has been identified in the Unlimited Elements for Elementor plugin for WordPress. This flaw allows authenticated attackers to read arbitrary files from the underlying server, potentially exposing critical system and application configuration data.
Vulnerability Details
The vulnerability exists in plugin versions up to and including 2.0.6. It stems from insufficient input sanitization within the URLtoRelative() and urlToPath() functions. Specifically, the code fails to properly neutralize directory traversal sequences (../) when processing a user-supplied URL parameter for the Repeater JSON/CSV feature.
When combined with the ability to enable debug output in widget settings, an attacker can craft a malicious URL. The plugin incorrectly processes this URL, stripping the domain but leaving the traversal sequences intact. This allows an attacker to escape the web root directory and access sensitive files elsewhere on the host system, such as /etc/passwd on Linux servers or the WordPress wp-config.php file.
Impact
The primary impact is unauthorized local file read. An attacker with Author-level access or higher to a WordPress site can exploit this to read sensitive files. Successfully reading the wp-config.php file would reveal database credentials, authentication keys, and salts, leading to a complete site compromise. Reading other system files could expose additional secrets or facilitate further attacks.
Affected Versions and Remediation
All versions of the Unlimited Elements for Elementor plugin up to and including 2.0.6 are affected.
Immediate Action Required: Site administrators must update the plugin to the latest patched version immediately. The plugin developer has released a fix in a subsequent version. After updating, it is advisable to review user accounts with Author or higher privileges and monitor for any suspicious file access activity. There are no known workarounds; updating is the only effective mitigation.
Security Insight
This vulnerability is a classic example of insufficient path traversal defense, where simple string replacement was mistaken for robust sanitization. It highlights a recurring theme in WordPress plugin security: the combination of powerful builder functionalities with inadequate input validation creates significant risk. Similar file read flaws in other popular plugins have been frequently exploited to stage larger attacks, underscoring the importance of rigorous security testing for add-ons that handle file system operations. For more on the latest cybersecurity threats, visit our security news section.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
phpTransformer 2016.9 contains a directory traversal vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the path parameter. Attackers can send requests to th...
A vulnerability in NLTK versions up to and including 3.9.2 allows arbitrary file read via path traversal in multiple CorpusReader classes, including WordListCorpusReader, TaggedCorpusReader, and Brack...
The Stackfield Desktop App before 1.10.2 for macOS and Windows contains a path traversal vulnerability in certain decryption functionality when processing the filePath property. A malicious export can...
SiYuan is a personal knowledge management system. Prior to 3.5.10, a path traversal vulnerability in the /export endpoint allows an attacker to read arbitrary files from the server filesystem. By expl...